From ab4ef9323b7fc3bcc26a41cbfa808ecf6b49dc2b Mon Sep 17 00:00:00 2001 From: r1chev <49188293+r1chev@users.noreply.github.com> Date: Thu, 6 Jun 2024 14:41:01 +0000 Subject: [PATCH] Refresh Built-in detection rules documentation --- ...f5e-a585fc7c8fc0_do_not_edit_manually.json | 2 +- ...41e-af269b45bef1_do_not_edit_manually.json | 2 +- ...7d1-588319e39d71_do_not_edit_manually.json | 2 +- ...5c4-c8174c307e48_do_not_edit_manually.json | 2 +- ...06d-f92f3a46bcdd_do_not_edit_manually.json | 2 +- ...575-9e43af779f9f_do_not_edit_manually.json | 2 +- ...5e2-4597e366b8c4_do_not_edit_manually.json | 2 +- ...02e-e88fe2193365_do_not_edit_manually.json | 2 +- ...dc1-0242ac120002_do_not_edit_manually.json | 2 +- ...803-e7990afe78b6_do_not_edit_manually.json | 2 +- ...b17-90c0be6b1f10_do_not_edit_manually.json | 2 +- ...9b6-76bf5298a617_do_not_edit_manually.json | 2 +- ...fbd-01e3fac01cd5_do_not_edit_manually.json | 2 +- ...c24-2d7129137688_do_not_edit_manually.json | 2 +- ...13a-f8dd48cddc8c_do_not_edit_manually.json | 2 +- ...46b-974354a107bb_do_not_edit_manually.json | 2 +- ...cfd-43f7d9595777_do_not_edit_manually.json | 2 +- ...176-f1fa13589eea_do_not_edit_manually.json | 2 +- ...d19-67edc91fb063_do_not_edit_manually.json | 2 +- ...c1c-46804e636084_do_not_edit_manually.json | 2 +- ...e06-7b335e439c29_do_not_edit_manually.json | 2 +- ...916-636c27ba4931_do_not_edit_manually.json | 2 +- ...b02-e72f870fcbd1_do_not_edit_manually.json | 2 +- ...58e-81b9418e6584_do_not_edit_manually.json | 2 +- ...901-b7fadfb0ba48_do_not_edit_manually.json | 2 +- ...038-3f7d5a3b8b11_do_not_edit_manually.json | 2 +- ...976-250cba2eaf5b_do_not_edit_manually.json | 2 +- ...00a-2b58303cac90_do_not_edit_manually.json | 2 +- ...e47-1574946412b6_do_not_edit_manually.json | 2 +- ...750-5db882ea1266_do_not_edit_manually.json | 2 +- ...87f-48a3dc07d4d3_do_not_edit_manually.json | 2 +- ...833-e971451b2979_do_not_edit_manually.json | 2 +- ...e19-e38e167432a1_do_not_edit_manually.json | 2 +- ...033-6f1f887a70f2_do_not_edit_manually.json | 2 +- ...597-d2944a601930_do_not_edit_manually.json | 2 +- ...6bd-91a447bb26bd_do_not_edit_manually.json | 2 +- ...846-6f2a794583e1_do_not_edit_manually.json | 2 +- ...f3b-f73a622c9687_do_not_edit_manually.json | 2 +- ...c99-5c2de7e1d340_do_not_edit_manually.json | 2 +- ...4fa-28d6c1f2e2a8_do_not_edit_manually.json | 2 +- ...d69-684a0b3835fc_do_not_edit_manually.json | 2 +- ...d60-8fd5e39140b3_do_not_edit_manually.json | 2 +- ...109-c6d85b91bbcf_do_not_edit_manually.json | 2 +- ...703-7452882e70da_do_not_edit_manually.json | 2 +- ...2ff-0e1cde564161_do_not_edit_manually.json | 2 +- ...f81-30df7b1963a0_do_not_edit_manually.json | 2 +- ...e09-44d31626b694_do_not_edit_manually.json | 2 +- ...876-85102b18d832_do_not_edit_manually.json | 2 +- ...6cc-0ca31abd5d24_do_not_edit_manually.json | 2 +- ...28f-3ee3cd5b9a8e_do_not_edit_manually.json | 2 +- ...47b-ef64dd87c981_do_not_edit_manually.json | 2 +- ...861-0253b15de650_do_not_edit_manually.json | 2 +- ...746-b2b9f366e34b_do_not_edit_manually.json | 2 +- ...780-b225c59e9f99_do_not_edit_manually.json | 2 +- ...1f3-49e3993c16f5_do_not_edit_manually.json | 2 +- ...546-98539fc07725_do_not_edit_manually.json | 2 +- ...3ea-b9be92914fa2_do_not_edit_manually.json | 2 +- ...c61-6794fd44d9a8_do_not_edit_manually.json | 2 +- ...6db-90fcdd7236f1_do_not_edit_manually.json | 2 +- ...f2d-eed5013fe463_do_not_edit_manually.json | 2 +- ...4cf-3e64787c1c39_do_not_edit_manually.json | 2 +- ...60f-2d3fd0b46987_do_not_edit_manually.json | 2 +- ...c15-3828627ba899_do_not_edit_manually.json | 2 +- ...7a6-d575ffcb29f7_do_not_edit_manually.json | 2 +- ...5de-5c2722fa020e_do_not_edit_manually.json | 2 +- ...a62-49fa5f2c9206_do_not_edit_manually.json | 2 +- ...d8b-08d6315e1ef6_do_not_edit_manually.json | 2 +- ...893-a48b6903d871_do_not_edit_manually.json | 2 +- ...70f-fd3b54ba1fe4_do_not_edit_manually.json | 2 +- ...e15-4b99a12b754c_do_not_edit_manually.json | 2 +- ...fb3-f7c543fd84a5_do_not_edit_manually.json | 2 +- ...b6d-3f79045f28fa_do_not_edit_manually.json | 2 +- ...a81-31090d723a60_do_not_edit_manually.json | 2 +- ...bc9-74be1e0ca1c1_do_not_edit_manually.json | 2 +- ...cbb-bc830118c1f9_do_not_edit_manually.json | 2 +- ...079-ab35ac6b2ab9_do_not_edit_manually.json | 2 +- ...d7f-a0c39a2b2279_do_not_edit_manually.json | 2 +- ...398-031afe91faa0_do_not_edit_manually.json | 2 +- ...b3d-b7cb7b7db618_do_not_edit_manually.json | 2 +- ...079-3dd25d472e0a_do_not_edit_manually.json | 2 +- ...96a-8808b3c6cade_do_not_edit_manually.json | 2 +- ...18d-26e1e3b2409c_do_not_edit_manually.json | 2 +- ...f1d-772e9a30f0dd_do_not_edit_manually.json | 2 +- ...729-8cbc9c65be55_do_not_edit_manually.json | 2 +- ...563-db21da09cafd_do_not_edit_manually.json | 2 +- ...78a-51d62e84c8df_do_not_edit_manually.json | 2 +- ...4db-d6a2300f5580_do_not_edit_manually.json | 2 +- ...bcc-45fd108ba1be_do_not_edit_manually.json | 2 +- ...427-621541e881d5_do_not_edit_manually.json | 2 +- ...93f-bbd70d114188_do_not_edit_manually.json | 2 +- ...90d-9af2f7be7019_do_not_edit_manually.json | 2 +- ...76c-408472fcfebb_do_not_edit_manually.json | 2 +- ...1ed-b9e88f05e67a_do_not_edit_manually.json | 2 +- ...462-cf7fc8bcd51a_do_not_edit_manually.json | 2 +- ...060-a9d9f2d270db_do_not_edit_manually.json | 2 +- ...dd4-30f1870e3d03_do_not_edit_manually.json | 2 +- ...afa-595bd430c0cb_do_not_edit_manually.json | 2 +- ...f79-da99b487b1af_do_not_edit_manually.json | 2 +- ...e37-842703494be0_do_not_edit_manually.json | 2 +- ...ae5-aa67d2f29fcb_do_not_edit_manually.json | 2 +- ...6fc-8f8b2c617466_do_not_edit_manually.json | 2 +- ...55c-34d2301c1f51_do_not_edit_manually.json | 2 +- ...f5b-6968f8ac04ba_do_not_edit_manually.json | 2 +- ...0b6-7df6738d5d7f_do_not_edit_manually.json | 2 +- ...659-9bf0e577944f_do_not_edit_manually.json | 2 +- ...79a-f97be24cc02d_do_not_edit_manually.json | 2 +- ...e56-0242ac120002_do_not_edit_manually.json | 2 +- ...763-aad3451821e5_do_not_edit_manually.json | 2 +- ...0ce-dbcae04eaf26_do_not_edit_manually.json | 2 +- ...b7a-4f2d0a518b04_do_not_edit_manually.json | 2 +- ...475-a7f43754ab6d_do_not_edit_manually.json | 2 +- ...5aa-2a6a900df99b_do_not_edit_manually.json | 2 +- ...3ba-652eca2e8ed0_do_not_edit_manually.json | 2 +- ...895-c8769a749d45_do_not_edit_manually.json | 2 +- ...b61-836b2d45a742_do_not_edit_manually.json | 2 +- ...04b-ebda6756db60_do_not_edit_manually.json | 2 +- ...43e-9848cadb1f99_do_not_edit_manually.json | 2 +- ...844-f7f4d7348199_do_not_edit_manually.json | 2 +- ...a2c-6a89635d8615_do_not_edit_manually.json | 2 +- ...a64-fb65d4b0a4cf_do_not_edit_manually.json | 2 +- ...847-983f38efb8ff_do_not_edit_manually.json | 2 +- ...602-a5994544d9ed_do_not_edit_manually.json | 2 +- ...e3d-587fdd99a421_do_not_edit_manually.json | 2 +- ...bb3-f0290b99f014_do_not_edit_manually.json | 2 +- ...723-84060aeb5529_do_not_edit_manually.json | 2 +- ...f71-46155af56570_do_not_edit_manually.json | 2 +- ...15f-1f83807ff3cc_do_not_edit_manually.json | 2 +- ...9e6-ee5a00ee0956_do_not_edit_manually.json | 2 +- ...fa0-c63661820941_do_not_edit_manually.json | 2 +- ...73d-6eb8b982afcd_do_not_edit_manually.json | 2 +- ...9c5-e075f3fb3216_do_not_edit_manually.json | 2 +- ...e89-f2b8be4baf4e_do_not_edit_manually.json | 2 +- ...8ed-b7fb3d7fa232_do_not_edit_manually.json | 2 +- ...785-c1276277b5d7_do_not_edit_manually.json | 2 +- ...ea4-247b12b3d74b_do_not_edit_manually.json | 2 +- ...e0e-ca4e6cecf7e6_do_not_edit_manually.json | 2 +- ...09d-cf0e5daf3ccd_do_not_edit_manually.json | 2 +- ...af5-b69c7b679887_do_not_edit_manually.json | 2 +- ...d9d-1a018cd8c4bb_do_not_edit_manually.json | 2 +- ...cb6-2f574bd4ce51_do_not_edit_manually.json | 2 +- ...671-77903dc8de69_do_not_edit_manually.json | 2 +- ...399-ddd992d48472_do_not_edit_manually.json | 2 +- ...c2d-e2cfa46bf0e5_do_not_edit_manually.json | 2 +- ...098-fe4a9e0aeaa0_do_not_edit_manually.json | 2 +- ...7e6-7e0948e12415_do_not_edit_manually.json | 2 +- ...0ca-b33f9b27f3d9_do_not_edit_manually.json | 2 +- ...in_rules_changelog_do_not_edit_manually.md | 2 +- .../built_in_rules_do_not_edit_manually.md | 2 +- ...-8563-db21da09cafd_do_not_edit_manually.md | 150 ++++++++++++++++++ .../built_in_detection_rules_eventids.md | 2 +- 150 files changed, 299 insertions(+), 149 deletions(-) diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json index 6248e81b5b..9b0eb7b277 100644 --- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, CertOC Loading Dll, Control Panel Items, Suspicious Windows Installer Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json index 77897bb787..c96c320b18 100644 --- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, SOCKS Tunneling Tool, SSH Tunnel Traffic"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, xWizard Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File and Directory Permissions Modification"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, SSH X11 Forwarding, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, AccCheckConsole Executing Dll, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, Control Panel Items, Equation Group DLL_U Load, CMSTP Execution, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process, Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json index 250bb97dcc..3f5921f6d0 100644 --- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json index de3ec6bd00..934f0841f2 100644 --- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell Download From URL, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WithSecure Elements Critical Severity"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Microsoft Defender Antivirus Threat Detected, PsExec Process, SolarWinds Suspicious File Creation, WithSecure Elements Critical Severity"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Sysmon Windows File Block Executable, WithSecure Elements Critical Severity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, WithSecure Elements Critical Severity, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, WithSecure Elements Critical Severity, Microsoft Defender Antivirus Threat Detected, PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: WithSecure Elements Critical Severity, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Microsoft Defender Antivirus Threat Detected, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json index 7fe0c5d819..2062962d7d 100644 --- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace Password Change, Google Workspace MFA changed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace Admin Deletion, Google Workspace User Deletion, Google Workspace User Suspended"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Google Workspace Bypass 2FA"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Google Workspace App Script Scheduled Task"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Google Workspace MFA changed, Google Workspace Password Change"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Google Workspace Admin Deletion, Google Workspace User Suspended, Google Workspace User Deletion"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Google Workspace MFA changed"}, {"techniqueID": "T1136.003", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Google Workspace User Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Google Workspace Domain Delegation, Google Workspace Admin Modification"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Google Workspace Email Forwarding"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Google Workspace Admin Creation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json index 8d34d64430..e727b063b1 100644 --- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, Wininit Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, Csrss Wrong Parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, Wininit Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, Csrss Wrong Parent, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wininit Wrong Parent, SolarWinds Wrong Child Process, Winword wrong parent, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wininit Wrong Parent, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Winword wrong parent, Microsoft Defender XDR Alert, Microsoft Defender XDR Cloud App Security Alert, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Microsoft Defender XDR Office 365 Alert, Winrshost Wrong Parent, Windows Update LolBins, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Microsoft Defender XDR Endpoint Alert, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Suspicious Driver Loaded, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Generic-reverse-shell-oneliner, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Microsoft Defender XDR Alert, Microsoft Defender XDR Cloud App Security Alert, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender XDR Office 365 Alert, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Microsoft Defender XDR Endpoint Alert, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Interactive Terminal Spawned via Python, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Reverse Shell Detection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Endpoint Alert, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Defender XDR Alert, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Defender XDR Cloud App Security Alert"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Microsoft Defender XDR Alert, Wmiprvse Wrong Parent, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Searchindexer Wrong Parent, Microsoft Defender XDR Endpoint Alert, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Cloud App Security Alert, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Mshta Suspicious Child Process, Microsoft Defender XDR Alert, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Socat Reverse Shell Detection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Microsoft Defender XDR Endpoint Alert, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Microsoft Defender XDR Office 365 Alert, Microsoft Defender XDR Cloud App Security Alert, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender XDR Cloud App Security Alert, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Defender XDR Alert, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Defender XDR Endpoint Alert, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Defender XDR Office 365 Alert"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Tunnel Technique From MuddyWater, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Email Attachment Received, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json index e49aff0ad2..e9a412e580 100644 --- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json index 4b96f46912..49eb47ef8f 100644 --- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Trend Micro Apex One Malware Alert, Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), Trend Micro Apex One Data Loss Prevention Alert, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Malware Alert, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, Trend Micro Apex One Data Loss Prevention Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Trend Micro Apex One Malware Alert, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Trend Micro Apex One Data Loss Prevention Alert"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Trend Micro Apex One Malware Alert, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Trend Micro Apex One Data Loss Prevention Alert, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp, Trend Micro Apex One Malware Alert, Trend Micro Apex One Data Loss Prevention Alert, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert, Trend Micro Apex One Data Loss Prevention Alert, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json index b6c61aaa17..8a9850eba1 100644 --- a/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_07c0cac8-f68f-11ea-adc1-0242ac120002_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS VPC Flow logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json index f9e467fa9c..eb7c7fc182 100644 --- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR SSO User Added, SentinelOne EDR Custom Rule Alert, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, SentinelOne EDR Threat Detected (Malicious), Sekoia.io EICAR Detection, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Taskkill Command, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Quarantine Success, WMIC Uninstall Product, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Logged In To The Management Console, MalwareBytes Uninstallation, Lazarus Loaders, PowerShell EncodedCommand, Linux Bash Reverse Shell, SentinelOne EDR Agent Disabled, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, Download Files From Suspicious TLDs, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), MS Office Product Spawning Exe in User Dir, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious)"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Kill Success, SolarWinds Wrong Child Process, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious)"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Package Manager Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Linux Bash Reverse Shell, SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Detected (Suspicious), Phorpiex DriveMgr Command, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, Lazarus Loaders, SentinelOne EDR Custom Rule Alert, SquirrelWaffle Malspam Execution Loading DLL, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR User Failed To Log In To The Management Console, Suspicious PowerShell Invocations - Specific, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Detected (Malicious), Sekoia.io EICAR Detection, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Default Encoding To UTF-8 PowerShell, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, CMSTP UAC Bypass via COM Object Access, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Control Panel Items, Suspicious Windows Installer Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR SSO User Added, Download Files From Suspicious TLDs, SentinelOne EDR Agent Disabled, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR SSO User Added, SentinelOne EDR Agent Disabled, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, SolarWinds Wrong Child Process, SentinelOne EDR Malicious Threat Not Mitigated, Usage Of Procdump With Common Arguments, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json index 346c9fc13a..64d68b7b65 100644 --- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json index d993366aef..d0dd8f6739 100644 --- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Suspicious DNS Child Process, PsExec Process, Winword wrong parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Windows Update LolBins, PsExec Process, Winword wrong parent"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection, Explorer Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Dynamic DNS Contacted"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation, Explorer Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winword wrong parent, New Service Creation, Explorer Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winword wrong parent, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winword wrong parent, Windows Update LolBins, Suspicious DNS Child Process, PsExec Process, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json index b790d323c1..cd66c239ea 100644 --- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Exfiltration Via Pscp, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Windows Update LolBins, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Suspicious Driver Loaded, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, AMSI Deactivation Using Registry Key, Netsh Allow Command, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Elise Backdoor, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Generic-reverse-shell-oneliner, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Interactive Terminal Spawned via Python, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Reverse Shell Detection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Socat Reverse Shell Detection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json index 4c95411ad1..b01b55c0b9 100644 --- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Sekoia.io EICAR Detection, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, CertOC Loading Dll, Control Panel Items, Suspicious Windows Installer Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json index 045f54b699..c4fc0cc08a 100644 --- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json index ae43564a4e..03436595fd 100644 --- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Impossible Travel"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Impossible Travel"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1556.006", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) MFA Method Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json index 1867c663b6..48d0cdd516 100644 --- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json index edfc2d30f1..06f17556b1 100644 --- a/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_1df44c62-33d3-41d4-8176-f1fa13589eea_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection High Severity, ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ExtraHop Reveal(x) 360", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: ExtraHop Reveal(x) 360 Intrusion Detection High Severity, ExtraHop Reveal(x) 360 Intrusion Detection Critical Severity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json index cc3a8234e4..13423e390c 100644 --- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file +{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Sekoia.io EICAR Detection, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, CertOC Loading Dll, Control Panel Items, Suspicious Windows Installer Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json index 0b4e70fe66..1e6a7ab59f 100644 --- a/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2259adc3-9d93-4150-9c1c-46804e636084_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiWeb", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json index 115f408a95..ee425a98f2 100644 --- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Exfiltration Via Pscp, CrowdStrike Falcon Intrusion Detection Informational Severity, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Critical Severity, Winword wrong parent, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection High Severity, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, CrowdStrike Falcon Identity Protection Detection Low Severity, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Medium Severity, Windows Update LolBins, CrowdStrike Falcon Intrusion Detection Medium Severity, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, CrowdStrike Falcon Identity Protection Detection Informational Severity, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Low Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Informational Severity, Generic-reverse-shell-oneliner, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Critical Severity, AutoIt3 Execution From Suspicious Folder, CrowdStrike Falcon Identity Protection Detection High Severity, Phorpiex DriveMgr Command, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, CrowdStrike Falcon Identity Protection Detection Medium Severity, PowerShell Download From URL, CrowdStrike Falcon Intrusion Detection Medium Severity, Trickbot Malware Activity, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, CrowdStrike Falcon Identity Protection Detection Informational Severity, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, CrowdStrike Falcon Intrusion Detection Critical Severity, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Low Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection, IcedID Execution Using Excel, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Identity Protection Detection Medium Severity, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Identity Protection Detection Low Severity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: CrowdStrike Falcon Mobile Detection Medium Severity, Dynamic DNS Contacted, Cryptomining, Exfiltration And Tunneling Tools Execution, CrowdStrike Falcon Mobile Detection Informational Severity, CrowdStrike Falcon Mobile Detection Critical Severity, Python HTTP Server, CrowdStrike Falcon Mobile Detection Low Severity, CrowdStrike Falcon Mobile Detection High Severity, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Rare Logonui Child Found, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Medium Severity, Rare Lsass Child Found, Suspicious DNS Child Process, Taskhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection Low Severity, PsExec Process, Taskhostw Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, CrowdStrike Falcon Identity Protection Detection High Severity, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, CrowdStrike Falcon Intrusion Detection High Severity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Medium Severity, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, CrowdStrike Falcon Identity Protection Detection Low Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, CrowdStrike Falcon Identity Protection Detection High Severity, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Intrusion Detection Medium Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, CrowdStrike Falcon Intrusion Detection High Severity, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Identity Protection Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Identity Protection Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Low Severity, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection Informational Severity, IcedID Execution Using Excel, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Identity Protection Detection High Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Identity Protection Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Exploit For CVE-2015-1641, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Outlook Child Process, Explorer Process Executing HTA File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, CrowdStrike Falcon Mobile Detection High Severity, CrowdStrike Falcon Mobile Detection Critical Severity, Exfiltration And Tunneling Tools Execution, Python HTTP Server, CrowdStrike Falcon Mobile Detection Informational Severity, SEKOIA.IO Intelligence Feed, CrowdStrike Falcon Mobile Detection Low Severity, DNS Tunnel Technique From MuddyWater, Cryptomining, CrowdStrike Falcon Mobile Detection Medium Severity, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json index 033d920ebd..fe0e5639ef 100644 --- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json index 74d93d8e84..00b26ead86 100644 --- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Smbexec.py Service Installation, Winrshost Wrong Parent, Malicious Service Installations, Suspicious PsExec Execution, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Suspicious DNS Child Process, Windows Suspicious Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Smbexec.py Service Installation, Winrshost Wrong Parent, Malicious Service Installations, Windows Update LolBins, Suspicious PsExec Execution, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Logonui Wrong Parent, Suspicious DNS Child Process, Windows Suspicious Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Check Point Harmony Mobile Application Forbidden, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Disable Security Events Logging Adding Reg Key MiniNt, DNS ServerLevelPluginDll Installation, Ursnif Registry Key, Remote Registry Management Using Reg Utility, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, OceanLotus Registry Activity, Suspicious New Printer Ports In Registry, FlowCloud Malware, Blue Mockingbird Malware, NetNTLM Downgrade Attack, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, Chafer (APT 39) Activity, Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes, Windows Credential Editor Registry Key, LSASS Memory Dump, Password Dumper Activity On LSASS, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Cred Dump Tools Dropped Files, Dumpert LSASS Process Dumper, Unsigned Image Loaded Into LSASS Process, Credential Dumping Tools Service Execution, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Comsvcs, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Impacket Secretsdump.py Tool, Mimikatz LSASS Memory Access, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Password Dumper Activity On LSASS, DCSync Attack, NTDS.dit File In Suspicious Directory, LSASS Access From Non System Account, Malicious Service Installations, Cred Dump Tools Dropped Files, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, WCE wceaux.dll Creation, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, LSASS Memory Dump, Wdigest Enable UseLogonCredential, Active Directory Database Dump Via Ntdsutil, Grabbing Sensitive Hives Via Reg Utility, Dumpert LSASS Process Dumper, Active Directory Replication from Non Machine Account, Rubeus Tool Command-line, Copying Browser Files With Credentials, Lsass Access Through WinRM, Windows Credential Editor Registry Key, RedMimicry Winnti Playbook Dropped File, Load Of dbghelp/dbgcore DLL From Suspicious Process, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, Unsigned Image Loaded Into LSASS Process, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, Dynwrapx Module Loading, xWizard Execution, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, Debugging Software Deactivation, Disable Windows Defender Credential Guard, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Scheduled Tasks, TrustedInstaller Impersonation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, AMSI Deactivation Using Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, NetNTLM Downgrade Attack, Netsh RDP Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Forwarding, Debugging Software Deactivation, Disable Windows Defender Credential Guard, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Scheduled Tasks, TrustedInstaller Impersonation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, ETW Tampering, AMSI Deactivation Using Registry Key, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Python Opening Ports, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Configuration Changed, Suspect Svchost Memory Access, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, NetNTLM Downgrade Attack, Netsh RDP Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Detection of default Mimikatz banner, Invoke-TheHash Commandlets, Phorpiex DriveMgr Command, In-memory PowerShell, Suspicious Cmd.exe Command Line, WMI DLL Loaded Via Office, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Aspnet Compiler, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, PowerShell Download From URL, FromBase64String Command Line, Trickbot Malware Activity, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Scripting In A WMI Consumer, MalwareBytes Uninstallation, PowerShell Malicious PowerShell Commandlets, Lazarus Loaders, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Turla Named Pipes, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, PowerShell Credential Prompt, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Process Execution Blocked (HL-AI engine), Malspam Execution Registering Malicious DLL, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Threat, HarfangLab EDR Medium Threat, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Process Execution Blocked (HL-AI engine), Malspam Execution Registering Malicious DLL, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Threat, HarfangLab EDR Medium Threat, HarfangLab EDR High Threat"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, RedMimicry Winnti Playbook Dropped File, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Powershell AMSI Bypass, Python Opening Ports"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, SSH Tunnel Traffic"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Process Herpaderping, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Dynwrapx Module Loading, Process Hollowing Detection, Cobalt Strike Named Pipes, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Malicious Named Pipe, CreateRemoteThread Common Process Injection, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Mimikatz Basic Commands, Active Directory User Backdoors, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Detection of default Mimikatz banner, Invoke-TheHash Commandlets, In-memory PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell NTFS Alternate Data Stream, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Malicious PowerShell Commandlets, Turla Named Pipes, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Credential Prompt, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, AD User Enumeration, Active Directory Data Export Using Csvde, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Audit CVE Event, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Autorun Keys Modification, DLL Load via LSASS Registry Key, Kernel Module Alteration, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Ryuk Ransomware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, PowerView commandlets 2, Phosphorus Domain Controller Discovery, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Active Directory Database Dump Via Ntdsutil, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Event Subscription, Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Remote Registry Management Using Reg Utility, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Admin Share Access, Smbexec.py Service Installation, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe, Denied Access To Remote Desktop, Protected Storage Service Access, MMC20 Lateral Movement, MMC Spawning Windows Shell, RDP Login From Localhost, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: TUN/TAP Driver Installation, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Secure Deletion With SDelete, PowerShell EncodedCommand"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, StoneDrill Service Install, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Gpscript Suspicious Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, StoneDrill Service Install, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Gpscript Suspicious Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Smbexec.py Service Installation, Lsass Wrong Parent, Windows Suspicious Service Creation, Usage Of Sysinternals Tools, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Winlogon wrong parent, Gpscript Suspicious Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Rare Logonui Child Found, Check Point Harmony Mobile Application Forbidden, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Smbexec.py Service Installation, Lsass Wrong Parent, Windows Suspicious Service Creation, Usage Of Sysinternals Tools, Windows Update LolBins, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Microsoft Defender Antivirus Threat Detected, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Winlogon wrong parent, Gpscript Suspicious Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Chafer (APT 39) Activity, DNS ServerLevelPluginDll Installation, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, OceanLotus Registry Activity, Disable Security Events Logging Adding Reg Key MiniNt, Remote Registry Management Using Reg Utility, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Credential Dumping-Tools Common Named Pipes, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, LSASS Memory Dump, Password Dumper Activity On LSASS, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, Mimikatz LSASS Memory Access, LSASS Memory Dump File Creation, LSASS Access From Non System Account"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, Copying Sensitive Files With Credential Data, LSASS Memory Dump, HackTools Suspicious Process Names In Command Line, Malicious Service Installations, SAM Registry Hive Handle Request, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process, Transfering Files With Credential Data Via Network Shares, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Credential Dumping-Tools Common Named Pipes, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Mimikatz LSASS Memory Access, DCSync Attack, Mimikatz Basic Commands, LSASS Access From Non System Account, RedMimicry Winnti Playbook Dropped File, Cmdkey Cached Credentials Recon, Active Directory Replication from Non Machine Account, DPAPI Domain Backup Key Extraction, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, Grabbing Sensitive Hives Via Reg Utility, LSASS Memory Dump File Creation, HackTools Suspicious Names, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, Rubeus Tool Command-line, Suspicious SAM Dump, Active Directory Database Dump Via Ntdsutil, Password Dumper Activity On LSASS"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Dynwrapx Module Loading, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, TrustedInstaller Impersonation, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Suspicious Driver Loaded, Netsh Port Opening, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Services, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Python Opening Ports, Netsh RDP Port Opening, TrustedInstaller Impersonation, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Powershell AMSI Bypass, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, Suspect Svchost Memory Access, ETW Tampering, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Services, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Scheduled Tasks, NetSh Used To Disable Windows Firewall, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, PowerShell Malicious PowerShell Commandlets, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, PowerShell Credential Prompt, Suspicious Cmd.exe Command Line, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious Windows Script Execution, Lazarus Loaders, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious DLL Loaded Via Office Applications, PowerShell Invoke Expression With Registry, Mustang Panda Dropper, Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, FromBase64String Command Line, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Turla Named Pipes, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, WMI DLL Loaded Via Office, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious XOR Encoded PowerShell Command Line, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked (HL-AI engine), MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Threat, HarfangLab EDR High Threat, Exploit For CVE-2015-1641, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked (HL-AI engine), MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Threat, HarfangLab EDR High Threat, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, RedMimicry Winnti Playbook Dropped File, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, SAM Registry Hive Handle Request"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, SSH X11 Forwarding, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule, Suspicious Hostname"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Process Herpaderping, Malicious Named Pipe, Dynwrapx Module Loading, Explorer Wrong Parent, Cobalt Strike Named Pipes, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Process Hollowing Detection, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Mimikatz Basic Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMI DLL Loaded Via Office, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Mshta Suspicious Child Process, PowerShell Credential Prompt, PowerShell EncodedCommand, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, FromBase64String Command Line, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Turla Named Pipes, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Network Connection Via Certutil, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, PowerView commandlets 1, PowerView commandlets 2, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Exploit For CVE-2015-1641, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Windows Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Windows Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Kernel Module Alteration, DLL Load via LSASS Registry Key, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Secure Deletion With SDelete, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Eventlog Cleared, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, PowerView commandlets 2, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2, SCM Database Handle Failure"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Copy Of Legitimate System32 Executable, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Event Subscription, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Denied Access To Remote Desktop, RDP Login From Localhost, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement - Remote Named Pipe, RDP Port Change Using Powershell, Lsass Access Through WinRM, MMC Spawning Windows Shell, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Eventlog Cleared"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Kerberos Pre-Auth Disabled in UAC, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, OneNote Embedded File"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json index ebaac09087..ae1bdd1403 100644 --- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Kaspersky Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json index 6f0aacfc09..6b3961805b 100644 --- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json index 4253bf9b4e..44ad37e65f 100644 --- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Windows Update LolBins, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, AMSI Deactivation Using Registry Key, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell Download From URL, Trickbot Malware Activity, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Outlook Child Process, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Microsoft Defender Antivirus Threat Detected, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json index a5ed3d3648..a44c6ef092 100644 --- a/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2886cd2d-f686-4e7d-9976-250cba2eaf5b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom Edge Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json index a841c5bcf4..1d07fbd7fd 100644 --- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, DNS Exfiltration and Tunneling Tools Execution, Potential Bazar Loader User-Agents, Python HTTP Server, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Sekoia.io EICAR Detection, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, CertOC Loading Dll, Control Panel Items, Suspicious Windows Installer Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json index 1266c58076..84c65123ae 100644 --- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Sekoia.io EICAR Detection"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Email Attachment Received, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json index cb9f32abbf..428c9100f0 100644 --- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json index 0aa5eba70b..3749f5d1d7 100644 --- a/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_331fa58d-8cf9-454a-a87f-48a3dc07d4d3_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Suricata", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json index e92af36fdf..f6ae0de043 100644 --- a/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_340e3bc7-2b76-48e4-9833-e971451b2979_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Network Watcher", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json index b68b995740..f891b4f411 100644 --- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json index b3c0b9c322..58cf5f11c5 100644 --- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Windows Update LolBins, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Memory Dump Using Createdump"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, AMSI Deactivation Using Registry Key, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell Download From URL, Trickbot Malware Activity, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Process Execution Blocked (HL-AI engine), Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Threat, HarfangLab EDR Medium Threat, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Process Execution Blocked (HL-AI engine), Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Threat, HarfangLab EDR Medium Threat, HarfangLab EDR High Threat"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Python HTTP Server, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Microsoft Defender Antivirus Threat Detected, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Names, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked (HL-AI engine), MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Threat, HarfangLab EDR High Threat, Exploit For CVE-2015-1641, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked (HL-AI engine), MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Threat, HarfangLab EDR High Threat, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Windows Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, DNS Tunnel Technique From MuddyWater, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json index 3fe153f5a0..262af6b3af 100644 --- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert, Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json index fc2d8ab652..a59e2481bc 100644 --- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs, Sophos EDR CorePUA Clean, Sophos EDR Application Detected, Sophos EDR Application Blocked"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Sophos EDR Application Blocked, Sophos EDR CorePUA Clean, Sophos EDR Application Detected, Sophos EDR CorePUA Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json index 0f4c6da18e..cf1c0aaf26 100644 --- a/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3f99cdd8-aeca-4860-a846-6f2a794583e1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Database for MySQL", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json index 6f8019c8f7..473725bba7 100644 --- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json index 44ada01320..5b1762ef13 100644 --- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Windows Update LolBins, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, AMSI Deactivation Using Registry Key, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell Download From URL, Trickbot Malware Activity, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, Suspicious DNS Child Process, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Tunnel Technique From MuddyWater, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json index 9d4409f680..d150a76b34 100644 --- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Blocked, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Quarantined"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Sekoia.io EICAR Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Terminate"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json index 389e38976b..087d1b58af 100644 --- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Koadic MSHTML Command, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json index 863c2f1941..3cdf5e8059 100644 --- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json index fcedcffa76..70448ed009 100644 --- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Suspicious Windows DNS Queries, FoggyWeb HTTP Default GET/POST Requests, Potential LokiBot User-Agent, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Suspicious Windows DNS Queries, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Sliver DNS Beaconing, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Suspicious Windows DNS Queries, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cobalt Strike HTTP Default POST Beaconing, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json index 38f8bff77c..73351a36f0 100644 --- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json index 106b7cc5e6..718ab32a4c 100644 --- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, Proofpoint TAP Email Classified As Spam But Allowed, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Malware But Allowed, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json index f1cb25115e..a0c1d722f8 100644 --- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json index c32c574cde..d0dd3ecdc0 100644 --- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json index 3dc20a05c0..78d1e6f390 100644 --- a/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_4760d0bc-2194-44e5-a876-85102b18d832_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ekinops OneOS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json index fcf660eedd..7de12fdf34 100644 --- a/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_515ed00f-bf70-4fce-96cc-0ca31abd5d24_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google VPC Flow Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json index 62b5faf1da..fdbbcff598 100644 --- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json index ac95fa157f..c451715eb4 100644 --- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Fortinet FortiGate Firewall Successful External Login, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Successful External Login, Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json index 71288644d1..8508c09dea 100644 --- a/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5803f97d-b324-4452-b861-0253b15de650_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Lacework Cloud Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json index 8c83018c4d..23935dc1bb 100644 --- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json index 9922716422..c41d7dc826 100644 --- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Generic-reverse-shell-oneliner, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Interactive Terminal Spawned via Python, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Reverse Shell Detection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Socat Reverse Shell Detection, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Relaying Socket, Socat Reverse Shell Detection, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json index 4eb1eb9857..309662de2d 100644 --- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Windows Update LolBins, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell Download From URL, Trickbot Malware Activity, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json index 93cd149477..969ea38f6e 100644 --- a/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5a8ef52f-d143-4735-8546-98539fc07725_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Umbrella Proxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json index a2b71787d4..89321bf354 100644 --- a/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5cf6cc3b-50ca-48f5-a3ea-b9be92914fa2_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Umbrella IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json index 2cc641ca4a..ef30d18e70 100644 --- a/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5d9e261a-944c-4a76-8c61-6794fd44d9a8_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Unbound", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json index b28f0452ca..9f1cf13d5c 100644 --- a/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_60af2bd6-7ef0-48a7-a6db-90fcdd7236f1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiMail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json index 7d04cd0897..544e37f3b1 100644 --- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Secure Mobile Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json index a2c929c63d..38d4d3a7a8 100644 --- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json index 5991fb5153..b65165eb26 100644 --- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json index 2aa6e85c54..3cd3f993c2 100644 --- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Sekoia.io EICAR Detection, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, CertOC Loading Dll, Control Panel Items, Suspicious Windows Installer Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json index 0751c4db82..71ba09bbd0 100644 --- a/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6c2a44e3-a86a-4d98-97a6-d575ffcb29f7_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Apache HTTP Server", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json index 247d3bb12f..e8b9929997 100644 --- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ubika WAAP Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json index 0e356fc97a..80dba66deb 100644 --- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json index 4a0aafcbbc..49a2517806 100644 --- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Files", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json index b9b76472a0..c33ddf4462 100644 --- a/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_76d767ed-5431-4db1-b893-a48b6903d871_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json index 4abeeea3ab..192ab27592 100644 --- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, xWizard Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, AccCheckConsole Executing Dll, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, Control Panel Items, Equation Group DLL_U Load, CMSTP Execution, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process, Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json index a20c467c8b..108ff7b6c0 100644 --- a/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7954ae6f-eafa-404d-8e15-4b99a12b754c_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Apache SpamAssassin", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json index e0ba7a2042..7275df1a8a 100644 --- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json index 7675516c74..bc973cac46 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json index 4423418950..22d98dc81e 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json index bd27168131..185e90a90f 100644 --- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json index dcd612cb89..f17d6b302d 100644 --- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Delete Action"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Delete Action"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Github Audit logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json index 99c90ad36d..e4b2e2e163 100644 --- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json index 1ad555c1cb..1e33d3a673 100644 --- a/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8461aabe-6eba-4044-ad7f-a0c39a2b2279_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 Message Trace", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json index 2ec149adc1..c9f145eebe 100644 --- a/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8510051d-c7cf-4b0c-a398-031afe91faa0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OpenBSD Packet Filter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json index 2c300176a1..0a43c49513 100644 --- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json index 1ac0fa0e6d..f80c02c270 100644 --- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ManageEngine ADAudit Plus", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json index 494632c2ca..51ea4b944f 100644 --- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json index 069fe37881..39836da680 100644 --- a/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8d024a2b-3627-4909-818d-26e1e3b2409c_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ubika Cloud Protector Traffic [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json index 7905e68d57..e180dc5fd9 100644 --- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, TEHTRIS EDR Alert, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, TEHTRIS EDR Alert, Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Powershell Web Request, TEHTRIS EDR Alert, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, TEHTRIS EDR Alert, PsExec Process, Exfiltration Via Pscp, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, TEHTRIS EDR Alert, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json index d55d28c10c..9fcbb600b1 100644 --- a/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_90179796-f949-490c-8729-8cbc9c65be55_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Umbrella DNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Cisco Umbrella Threat Detected, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json index 257c735c64..00ccac5f4c 100644 --- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected, Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Internet Scanner Target, Burp Suite Tool Detected, Internet Scanner"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Internet Scanner Target, Internet Scanner"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json index 647f13ebae..21b157b510 100644 --- a/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9044ba46-2b5d-4ebd-878a-51d62e84c8df_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ISC DHCP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json index fbf501c1a0..477405f366 100644 --- a/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_916c13a8-c109-49f0-94db-d6a2300f5580_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fastly Next-Gen WAF Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json index 14c8e899d5..446c1324f9 100644 --- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Cobalt Strike Default Service Creation Usage, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, StoneDrill Service Install, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Smbexec.py Service Installation, Winrshost Wrong Parent, Malicious Service Installations, Suspicious PsExec Execution, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Suspicious DNS Child Process, Windows Suspicious Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Smbexec.py Service Installation, Winrshost Wrong Parent, Malicious Service Installations, Windows Update LolBins, Suspicious PsExec Execution, Wmiprvse Wrong Parent, WMI Persistence Command Line Event Consumer, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Credential Dumping Tools Service Execution, Gpscript Suspicious Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Logonui Wrong Parent, Suspicious DNS Child Process, Windows Suspicious Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Check Point Harmony Mobile Application Forbidden, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Disable Security Events Logging Adding Reg Key MiniNt, DNS ServerLevelPluginDll Installation, Ursnif Registry Key, Remote Registry Management Using Reg Utility, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, OceanLotus Registry Activity, Suspicious New Printer Ports In Registry, FlowCloud Malware, Blue Mockingbird Malware, NetNTLM Downgrade Attack, RDP Sensitive Settings Changed, DHCP Callout DLL Installation, Chafer (APT 39) Activity, Suspicious Desktopimgdownldr Execution, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Credential Dumping-Tools Common Named Pipes, Windows Credential Editor Registry Key, LSASS Memory Dump, Password Dumper Activity On LSASS, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Suspicious CommandLine Lsassy Pattern, Cred Dump Tools Dropped Files, Dumpert LSASS Process Dumper, Unsigned Image Loaded Into LSASS Process, Credential Dumping Tools Service Execution, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes, Process Memory Dump Using Comsvcs, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Mimikatz Basic Commands, Suspicious CommandLine Lsassy Pattern, Impacket Secretsdump.py Tool, Mimikatz LSASS Memory Access, HackTools Suspicious Names, NTDS.dit File Interaction Through Command Line, Password Dumper Activity On LSASS, DCSync Attack, NTDS.dit File In Suspicious Directory, LSASS Access From Non System Account, Malicious Service Installations, Cred Dump Tools Dropped Files, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, WCE wceaux.dll Creation, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, LSASS Memory Dump, Wdigest Enable UseLogonCredential, Active Directory Database Dump Via Ntdsutil, Grabbing Sensitive Hives Via Reg Utility, Dumpert LSASS Process Dumper, Active Directory Replication from Non Machine Account, Rubeus Tool Command-line, Copying Browser Files With Credentials, Lsass Access Through WinRM, Windows Credential Editor Registry Key, Process Trace Alteration, RedMimicry Winnti Playbook Dropped File, Load Of dbghelp/dbgcore DLL From Suspicious Process, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, Unsigned Image Loaded Into LSASS Process, Transfering Files With Credential Data Via Network Shares, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, Dynwrapx Module Loading, xWizard Execution, AccCheckConsole Executing Dll, Malspam Execution Registering Malicious DLL, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, Debugging Software Deactivation, Disable Windows Defender Credential Guard, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Scheduled Tasks, TrustedInstaller Impersonation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, NetNTLM Downgrade Attack, Netsh RDP Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Forwarding, Debugging Software Deactivation, Disable Windows Defender Credential Guard, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable Scheduled Tasks, TrustedInstaller Impersonation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Raccine Uninstall, Disable Task Manager Through Registry Key, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Python Opening Ports, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Configuration Changed, Suspect Svchost Memory Access, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, NetNTLM Downgrade Attack, Netsh RDP Port Opening, Suspicious PROCEXP152.sys File Created In Tmp, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Malspam Execution Registering Malicious DLL, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Detection of default Mimikatz banner, Invoke-TheHash Commandlets, Phorpiex DriveMgr Command, In-memory PowerShell, Suspicious Cmd.exe Command Line, WMI DLL Loaded Via Office, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Aspnet Compiler, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, PowerShell Download From URL, FromBase64String Command Line, Trickbot Malware Activity, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Mustang Panda Dropper, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Scripting In A WMI Consumer, MalwareBytes Uninstallation, PowerShell Malicious PowerShell Commandlets, Lazarus Loaders, Malspam Execution Registering Malicious DLL, Sysprep On AppData Folder, Turla Named Pipes, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, PowerShell Credential Prompt, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, QakBot Process Creation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Process Execution Blocked (HL-AI engine), Malspam Execution Registering Malicious DLL, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Threat, HarfangLab EDR Medium Threat, HarfangLab EDR High Threat"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, IcedID Execution Using Excel, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Suspicious DLL Loaded Via Office Applications, Exploit For CVE-2015-1641, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Process Execution Blocked (HL-AI engine), Malspam Execution Registering Malicious DLL, Winword Document Droppers, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Medium Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Low Level Rule Detection, HarfangLab EDR Critical Threat, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, HarfangLab EDR Low Threat, HarfangLab EDR Medium Threat, HarfangLab EDR High Threat"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Microsoft Office Spawning Script, Suspicious Windows Script Execution, Malspam Execution Registering Malicious DLL, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: SAM Registry Hive Handle Request, Credential Dumping-Tools Common Named Pipes, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, RedMimicry Winnti Playbook Dropped File, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Powershell AMSI Bypass, Python Opening Ports"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DNS ServerLevelPluginDll Installation, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, Dynamic Linker Hijacking From Environment Variable, DNS ServerLevelPluginDll Installation, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, Windows Registry Persistence COM Search Order Hijacking, Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, DHCP Callout DLL Installation, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Process Hollowing Detection, Wmiprvse Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Cobalt Strike Named Pipes, Spoolsv Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Svchost Wrong Parent, Process Herpaderping, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Dynwrapx Module Loading, Malicious Named Pipe, CreateRemoteThread Common Process Injection, Taskhost Wrong Parent, Explorer Wrong Parent, MavInject Process Injection, Smss Wrong Parent"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, User Added to Local Administrators, Mimikatz Basic Commands, Active Directory User Backdoors, Add User to Privileged Group, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory Delegate To KRBTGT Service"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Detection of default Mimikatz banner, Invoke-TheHash Commandlets, In-memory PowerShell, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell NTFS Alternate Data Stream, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Alternate PowerShell Hosts Pipe, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Malicious PowerShell Commandlets, Turla Named Pipes, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Credential Prompt, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Network Connection Via Certutil, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, AD User Enumeration, Active Directory Data Export Using Csvde, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Download Files From Non-Legitimate TLDs, Msdt (Follina) File Browse Process Execution, Suspicious New Printer Ports In Registry, Download Files From Suspicious TLDs, Audit CVE Event, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, Antivirus Web Shell Detection, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Windows Suspicious Scheduled Task Creation, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, GPO Executable Delivery, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Malware Persistence Registry Key, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Autorun Keys Modification, DLL Load via LSASS Registry Key, Kernel Module Alteration, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Svchost Modification, Suspicious desktop.ini Action, Ryuk Ransomware Persistence Registry Key, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression, Secure Deletion With SDelete"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Denied Access To Remote Desktop, User Added to Local Administrators, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, PowerView commandlets 2, Phosphorus Domain Controller Discovery, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Suspicious Taskkill Command, Putty Sessions Listing, SysKey Registry Keys Access"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Remote Monitoring and Management Software - Atera, Remote Monitoring and Management Software - AnyDesk, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Svchost Modification, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications, AD Object WriteDAC Access"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Explorer Wrong Parent, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, NTDS.dit File In Suspicious Directory, Active Directory Database Dump Via Ntdsutil, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Event Subscription, Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Suspicious Windows DNS Queries, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Chafer (APT 39) Activity"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Remote Registry Management Using Reg Utility, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lsass Access Through WinRM, Admin Share Access, Smbexec.py Service Installation, RDP Port Change Using Powershell, Remote Service Activity Via SVCCTL Named Pipe, Denied Access To Remote Desktop, Protected Storage Service Access, MMC20 Lateral Movement, MMC Spawning Windows Shell, RDP Login From Localhost, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, TUN/TAP Driver Installation, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Rubeus Tool Command-line, Kerberos Pre-Auth Disabled in UAC, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Kerberos Ticket"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, Secure Deletion With SDelete, PowerShell EncodedCommand"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Python HTTP Server, TrevorC2 HTTP Communication, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, StoneDrill Service Install, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Gpscript Suspicious Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, StoneDrill Service Install, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Cobalt Strike Default Service Creation Usage, Gpscript Suspicious Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Smbexec.py Service Installation, Lsass Wrong Parent, Windows Suspicious Service Creation, Usage Of Sysinternals Tools, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Winlogon wrong parent, Gpscript Suspicious Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Rare Logonui Child Found, Check Point Harmony Mobile Application Forbidden, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Malicious Service Installations, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Smbexec.py Service Installation, Lsass Wrong Parent, Windows Suspicious Service Creation, Usage Of Sysinternals Tools, Windows Update LolBins, Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Metasploit PSExec Service Creation, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Microsoft Defender Antivirus Threat Detected, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious PsExec Execution, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Credential Dumping Tools Service Execution, Winlogon wrong parent, Gpscript Suspicious Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Chafer (APT 39) Activity, DNS ServerLevelPluginDll Installation, RDP Sensitive Settings Changed, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, OceanLotus Registry Activity, Disable Security Events Logging Adding Reg Key MiniNt, Remote Registry Management Using Reg Utility, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Credential Dumping Tools Service Execution, Suspicious CommandLine Lsassy Pattern, Credential Dumping-Tools Common Named Pipes, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, LSASS Memory Dump, Password Dumper Activity On LSASS, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, Mimikatz LSASS Memory Access, LSASS Memory Dump File Creation, LSASS Access From Non System Account"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Process Memory Dump Using Rdrleakdiag, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, Copying Sensitive Files With Credential Data, LSASS Memory Dump, HackTools Suspicious Process Names In Command Line, Malicious Service Installations, SAM Registry Hive Handle Request, Suspicious CommandLine Lsassy Pattern, Load Of dbghelp/dbgcore DLL From Suspicious Process, Transfering Files With Credential Data Via Network Shares, Windows Credential Editor Registry Key, WCE wceaux.dll Creation, Credential Dumping-Tools Common Named Pipes, NetNTLM Downgrade Attack, Copying Browser Files With Credentials, Mimikatz LSASS Memory Access, DCSync Attack, Process Trace Alteration, Mimikatz Basic Commands, LSASS Access From Non System Account, RedMimicry Winnti Playbook Dropped File, Cmdkey Cached Credentials Recon, Active Directory Replication from Non Machine Account, DPAPI Domain Backup Key Extraction, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Unsigned Image Loaded Into LSASS Process, Grabbing Sensitive Hives Via Reg Utility, LSASS Memory Dump File Creation, HackTools Suspicious Names, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, Rubeus Tool Command-line, Suspicious SAM Dump, Active Directory Database Dump Via Ntdsutil, Password Dumper Activity On LSASS"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Dynwrapx Module Loading, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Malspam Execution Registering Malicious DLL, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Fail2ban Unban IP, Netsh RDP Port Opening, TrustedInstaller Impersonation, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Suspicious Driver Loaded, Netsh Port Opening, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Services, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious PROCEXP152.sys File Created In Tmp, Python Opening Ports, Fail2ban Unban IP, Netsh RDP Port Opening, TrustedInstaller Impersonation, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable SecurityHealth, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Powershell AMSI Bypass, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, Suspect Svchost Memory Access, ETW Tampering, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Services, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Disable Security Events Logging Adding Reg Key MiniNt, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, PowerShell Malicious PowerShell Commandlets, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, PowerShell Credential Prompt, Suspicious Cmd.exe Command Line, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious Windows Script Execution, Lazarus Loaders, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious DLL Loaded Via Office Applications, PowerShell Invoke Expression With Registry, Mustang Panda Dropper, Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, FromBase64String Command Line, Malspam Execution Registering Malicious DLL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Turla Named Pipes, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, WMI DLL Loaded Via Office, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious XOR Encoded PowerShell Command Line, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked (HL-AI engine), MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Threat, HarfangLab EDR High Threat, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: HarfangLab EDR Process Execution Blocked (HL-AI engine), MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Threat, IcedID Execution Using Excel, HarfangLab EDR Low Level Rule Detection, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Low Threat, HarfangLab EDR High Threat, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Critical Threat, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Hlai Engine Detection, Winword Document Droppers, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, WMI DLL Loaded Via Office, Malspam Execution Registering Malicious DLL, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, RedMimicry Winnti Playbook Dropped File, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, SAM Registry Hive Handle Request"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding, Suspicious TOR Gateway, Suspicious Hostname"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Svchost DLL Search Order Hijack, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Cobalt Strike Named Pipes, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Process Herpaderping, Dynwrapx Module Loading, Explorer Wrong Parent, MavInject Process Injection, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, Process Hollowing Detection, CreateRemoteThread Common Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Malicious Named Pipe"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Active Directory Replication User Backdoor, Privileged AD Builtin Group Modified, Active Directory Delegate To KRBTGT Service, Add User to Privileged Group, Mimikatz Basic Commands"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMI DLL Loaded Via Office, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Mshta Suspicious Child Process, PowerShell Credential Prompt, PowerShell EncodedCommand, Alternate PowerShell Hosts Pipe, In-memory PowerShell, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, FromBase64String Command Line, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, Detection of default Mimikatz banner, Turla Named Pipes, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Pandemic Windows Implant, Network Connection Via Certutil, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, PowerView commandlets 1, PowerView commandlets 2, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Antivirus Password Dumper Detection, Exploit For CVE-2015-1641, Download Files From Non-Legitimate TLDs, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Suspicious New Printer Ports In Registry, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Windows Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, Creation or Modification of a GPO Scheduled Task, Windows Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Active Directory Data Export Using Csvde, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Kernel Module Alteration, DLL Load via LSASS Registry Key, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Secure Deletion With SDelete, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Eventlog Cleared, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: User Added to Local Administrators, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, PowerView commandlets 2, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Svchost Modification, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, AD Object WriteDAC Access"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2, SCM Database Handle Failure"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Copy Of Legitimate System32 Executable, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, WMI Event Subscription, Component Object Model Hijacking, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Potential Bazar Loader User-Agents, Suspicious LDAP-Attributes Used, Bazar Loader DGA (Domain Generation Algorithm), Chafer (APT 39) Activity, SEKOIA.IO Intelligence Feed, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Nimbo-C2 User Agent, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Impacket Addcomputer, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Remote Registry Management Using Reg Utility, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Smbexec.py Service Installation, Denied Access To Remote Desktop, RDP Login From Localhost, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Admin Share Access, Lateral Movement - Remote Named Pipe, RDP Port Change Using Powershell, Lsass Access Through WinRM, MMC Spawning Windows Shell, Cobalt Strike Default Service Creation Usage, MMC20 Lateral Movement"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Eventlog Cleared"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Port Change Using Powershell, RDP Login From Localhost"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Kerberos Ticket, Kerberos Pre-Auth Disabled in UAC, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, OneNote Embedded File"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, Active Directory Replication from Non Machine Account, DCSync Attack"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Suspicious Windows DNS Queries, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1558.004", "score": 100, "comment": "Rules: Kerberos Pre-Auth Disabled in UAC"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json index ab32682faa..4c89bd7218 100644 --- a/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_954a6488-6394-4385-8427-621541e881d5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, xWizard Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix EDR [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, AccCheckConsole Executing Dll, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, Control Panel Items, Equation Group DLL_U Load, CMSTP Execution, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process, Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json index 2902b66dd1..93851ddf36 100644 --- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Darktrace Threat Visualizer", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json index 7d5030012d..f685cd2c0f 100644 --- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json index 5a33498b3d..92af1524f6 100644 --- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Winword wrong parent, Explorer Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Winword wrong parent, Explorer Wrong Parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious DNS Child Process, PsExec Process, Winword wrong parent, Rare Logonui Child Found, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Rare Lsass Child Found, Suspicious DNS Child Process, Windows Update LolBins, PsExec Process, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell Download From URL, Trickbot Malware Activity, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution, Potential DNS Tunnel, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Analysis Threat Center", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Rare Lsass Child Found, Winword wrong parent, New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Csrss Child Found, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Rare Lsass Child Found, Winword wrong parent, New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Csrss Child Found, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Rare Lsass Child Found, Winword wrong parent, Usage Of Sysinternals Tools, Suspicious DNS Child Process, PsExec Process, SolarWinds Wrong Child Process, Csrss Child Found, Searchprotocolhost Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Rare Lsass Child Found, Winword wrong parent, Usage Of Sysinternals Tools, Windows Update LolBins, Suspicious DNS Child Process, PsExec Process, Exfiltration Via Pscp, SolarWinds Wrong Child Process, Csrss Child Found, Searchprotocolhost Child Found, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json index dc0d688469..e36d9e8e79 100644 --- a/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9b95c9cf-8b78-4830-a1ed-b9e88f05e67a_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, xWizard Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Exfiltration Via Pscp, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity), Microsoft Office Creating Suspicious File, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity)"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Palo Alto Cortex XDR (EDR)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, AccCheckConsole Executing Dll, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, Control Panel Items, Equation Group DLL_U Load, CMSTP Execution, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process, Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Exfiltration Via Pscp, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, RTLO Character, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Palo Alto Cortex XDR (EDR) Alert Not Blocked (Medium Severity), Palo Alto Cortex XDR (EDR) Alert Not Blocked (High Severity), Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Palo Alto Cortex XDR (EDR) Alert Not Blocked (Low Severity)"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json index a400d00fa7..3f489f1d90 100644 --- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Claroty xDome", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json index b204f24b68..5c4de930f3 100644 --- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Alert, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Cybereason EDR Alert, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Cybereason EDR Alert"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cybereason EDR Alert, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json index a913c44911..213ad01340 100644 --- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netskope Transaction Events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json index 7a0d402e96..259d3581fb 100644 --- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json index 0247e8b2fa..3feaa0e39e 100644 --- a/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a14b1141-2d61-414b-bf79-da99b487b1af_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Debugging Software Deactivation, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disable Task Manager Through Registry Key, Raccine Uninstall, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Restoration Abuse, Disabled IE Security Features, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: WMIC Uninstall Product, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, Phorpiex DriveMgr Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Sekoia.io EICAR Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Potential DNS Tunnel, Netsh Port Forwarding"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Python HTTP Server, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Sliver DNS Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Cobalt Strike HTTP Default GET beaconing, FoggyWeb HTTP Default GET/POST Requests, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent, Cryptomining, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file +{"name": "SEKOIA.IO x F5 BIG-IP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Debugging Software Deactivation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, WMIC Uninstall Product, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Sekoia.io EICAR Detection, Linux Bash Reverse Shell, Suspicious PowerShell Invocations - Specific, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command, MavInject Process Injection, CertOC Loading Dll, Control Panel Items, Suspicious Windows Installer Execution"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Python HTTP Server, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Python HTTP Server, TrevorC2 HTTP Communication, Koadic MSHTML Command, Nimbo-C2 User Agent, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, PowerCat Function Loading"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22986 F5 BIG-IP iControl REST Unauthenticated RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json index 85d99e844a..542d7627e1 100644 --- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json index 1f7900ea39..7cbbcb4b44 100644 --- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json index ef20e49eca..755770eb17 100644 --- a/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a2915a14-d1e9-4397-86fc-8f8b2c617466_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Olfeo secure web gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json index f9b504c398..b1b35fe2ae 100644 --- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Covenant Default HTTP Beaconing, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x F5 NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json index 5dca42d16b..64fab8bc57 100644 --- a/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ae62a8c4-11f8-4aea-af5b-6968f8ac04ba_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Key Vault [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json index 87930beaf8..1f00d8202e 100644 --- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json index d1fa5e3ee0..cb816a09eb 100644 --- a/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_b28db14b-e3a7-463e-8659-9bf0e577944f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OpenSSH", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer, PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: WMI Persistence Command Line Event Consumer"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json index 58f76f39e6..43e9f55fa2 100644 --- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Explorer Process Executing HTA File, Control Panel Items, Equation Group DLL_U Load, xWizard Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Mshta Execution, Suspicious Control Process, CMSTP Execution, Suspicious Regasm Regsvcs Usage, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage, Empire Monkey Activity, AccCheckConsole Executing Dll, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Mshta JavaScript Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, Control Panel Items, Equation Group DLL_U Load, CMSTP Execution, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Control Process, Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json index bc874102d7..abb09d53cf 100644 --- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json index fe1f5a8267..c343374629 100644 --- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Trellix Network Security Threat Blocked, Detect requests to Konni C2 servers, Koadic MSHTML Command, Trellix Network Security Threat Notified, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix Network Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Trellix Network Security Threat Blocked, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Trellix Network Security Threat Notified, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json index 0dfc735bdc..f916ef1f9a 100644 --- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json index e1b42e8cb0..61e0cd039d 100644 --- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json index b81e56d954..e950071849 100644 --- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json index c696306581..f011042b44 100644 --- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Wininit Wrong Parent, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Winrshost Wrong Parent, Windows Update LolBins, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, SolarWinds Suspicious File Creation, Smss Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Chafer (APT 39) Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, HackTools Suspicious Names, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation, Process Memory Dump Using Createdump"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, TrustedInstaller Impersonation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, TrustedInstaller Impersonation, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Windows Defender Deactivation Using PowerShell Script, ETW Tampering, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Netsh Allow Command, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Powershell AMSI Bypass, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Socat Relaying Socket, Generic-reverse-shell-oneliner, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Invoke-TheHash Commandlets, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, PowerShell Download From URL, FromBase64String Command Line, Trickbot Malware Activity, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, PowerShell Malicious PowerShell Commandlets, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, PowerShell Credential Prompt, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, Python Offensive Tools and Packages, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Interactive Terminal Spawned via Python, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Powershell AMSI Bypass"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Reverse Shell Detection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, WMImplant Hack Tool, Wmic Process Call Creation, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell NTFS Alternate Data Stream, FromBase64String Command Line, Suspicious Taskkill Command, PowerShell Invoke Expression With Registry, Powershell Web Request, Suspicious PowerShell Invocations - Generic, Suspicious PowerShell Keywords, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Malicious PowerShell Commandlets, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, PowerShell Credential Prompt, Malicious PowerShell Keywords, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, WMImplant Hack Tool, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Outlook Child Process, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, PowerView commandlets 2, Phosphorus Domain Controller Discovery, PowerView commandlets 1, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Chafer (APT 39) Activity"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, Powershell Winlogon Helper DLL, RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Chafer (APT 39) Activity"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Chafer (APT 39) Activity"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, PowerView commandlets 1, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Login From Localhost, MMC Spawning Windows Shell"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Microsoft Defender Antivirus Threat Detected, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Wininit Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Names, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, TrustedInstaller Impersonation, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, TrustedInstaller Impersonation, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Disable SecurityHealth, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Powershell AMSI Bypass, ETW Tampering, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, Windows Defender Deactivation Using PowerShell Script, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, Generic-reverse-shell-oneliner, PowerShell Malicious PowerShell Commandlets, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, PowerShell Credential Prompt, Suspicious Cmd.exe Command Line, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, PowerShell NTFS Alternate Data Stream, Lazarus Loaders, Suspicious PowerShell Keywords, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, Sysprep On AppData Folder, Socat Reverse Shell Detection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, PowerShell Invoke Expression With Registry, Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, FromBase64String Command Line, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious XOR Encoded PowerShell Command Line, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Relaying Socket, Socat Reverse Shell Detection, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Invoke-TheHash Commandlets, Blue Mockingbird Malware, WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Malicious PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Mshta Suspicious Child Process, PowerShell Credential Prompt, PowerShell EncodedCommand, PowerShell NTFS Alternate Data Stream, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Invoke-TheHash Commandlets, WMImplant Hack Tool, Bloodhound and Sharphound Tools Usage, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, FromBase64String Command Line, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious Taskkill Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, PowerShell Data Compressed, Data Compressed With Rar With Password"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious Hangul Word Processor Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, PowerView commandlets 1, Phosphorus Domain Controller Discovery, PowerView commandlets 2, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Chafer (APT 39) Activity, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation, Impacket Addcomputer"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Suspicious desktop.ini Action, Powershell Winlogon Helper DLL, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, Active Directory Data Export Using Csvde"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Certify Or Certipy"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement, RDP Login From Localhost"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell NTFS Alternate Data Stream"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json index fff3afd0b2..2f0eabdfb7 100644 --- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json index 752b89f0c1..3079f5064a 100644 --- a/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c2faea65-1eb3-4f3f-b895-c8769a749d45_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fastly Next-Gen WAF Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json index cbf040f614..86af2e1fdf 100644 --- a/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c3888137-b34e-4526-ab61-836b2d45a742_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netfilter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json index 4111f24103..5fd4198a17 100644 --- a/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c6a43439-7b9d-4678-804b-ebda6756db60_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cyberwatch Detection", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json index 716fd353db..aa0df6a93a 100644 --- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Double Extension, Suspicious Email Attachment Received, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) AtpDetection, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, SEKOIA.IO Intelligence Feed, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Suspicious Email Attachment Received, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Repeated Delete, Possible Malicious File Double Extension, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Suspicious Double Extension, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Mass Download By A Single User"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Mass Download By A Single User"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Mass Download By A Single User, Possible Malicious File Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) AtpDetection, Suspicious Double Extension, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Entra ID Password Compromised By Known Credential Testing Tool"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json index 9e6f958bb9..5702370fb3 100644 --- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json index fbb4ab191e..a53cc8247f 100644 --- a/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d0383e87-e054-4a21-8a2c-6a89635d8615_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ubika Cloud Protector Alerts [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json index 4cc6754ccd..6ee5be4c64 100644 --- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway Network", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json index 72ba513f07..de65af86a8 100644 --- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Salesforce", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json index 0ffedc55a5..a3eb17bb2d 100644 --- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, AWS CloudTrail EC2 Startup Script Changed, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail KMS CMK Key Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Disable MFA, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Suspended, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Important Change, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail IAM DeleteSAMLProvider"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Disable MFA, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Remove Flow logs, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail IAM DeleteOpenIDConnectProvider"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSSHPublicKey"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, Password Change On Directory Service Restore Mode (DSRM) Account, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail IAM ChangePassword, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, Microsoft Defender Antivirus Tampering Detected, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Disable MFA, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Important Change"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, Backup Catalog Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail IAM DeleteOpenIDConnectProvider, AWS CloudTrail Remove Flow logs, AWS CloudTrail IAM ChangePassword, AWS CloudTrail IAM CreateSAMLProvider, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail IAM CreateOpenIDConnectProvider, AWS CloudTrail IAM UpdateOpenIDConnectProviderThumbprint, AWS CloudTrail Config DeleteConfigurationRecorder, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail IAM RemoveClientIDFromOpenIDConnectProvider, AWS CloudTrail IAM DeleteSAMLProvider, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail IAM UpdateSAMLProvider, AWS CloudTrail IAM AWSCompromisedKeyQuarantineV2, AWS CloudTrail Disable MFA, AWS CloudTrail IAM AddClientIDToOpenIDConnectProvider, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Important Change"}, {"techniqueID": "T1021.007", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Instance Connect SendSSHPublicKey, AWS CloudTrail EC2 DeleteKeyPair, AWS CloudTrail EC2 Instance Connect SendSerialConsoleSSHPublicKey, AWS CloudTrail EC2 CreateKeyPair"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail EC2 CreateVPC, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1578.002", "score": 100, "comment": "Rules: AWS CloudTrail EC2 CreateVPC"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json index 448a6dea6c..6787ab3661 100644 --- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom Cloud Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json index 300f024ed7..9f6ebda48c 100644 --- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json index 70beec3eb2..29ed2e7618 100644 --- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json index 4a462ddbdf..1da1f3b10d 100644 --- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cryptomining, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json index 863bfc3883..e87e762abc 100644 --- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json index 4dbc7bd0cb..6e68604095 100644 --- a/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_dbebefdd-dd2e-48a9-89e6-ee5a00ee0956_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Veeam Backup", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json index 35ffe0522e..8a783ae9cb 100644 --- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Dynamic DNS Contacted, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Cryptomining"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, TOR Usage Generic Rule"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), EvilProxy Phishing Domain"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Zscaler Internet Access", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Suspicious TOR Gateway"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json index 56afb85561..2c80f57631 100644 --- a/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_dcb14795-a6f0-4ebb-a73d-6eb8b982afcd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Systancia Cleanroom [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json index 3226465268..3be6cd41e3 100644 --- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json index 68c14cd5b7..da8e41c34a 100644 --- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Email Attachment Received"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json index 9c10798e25..07334dfe4e 100644 --- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spearphishing (CEO Fraud) Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Scam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spearphishing (CEO Fraud) Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json index 0134eb5524..faa9519b45 100644 --- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application modified, Okta User Account Deactivated, Okta Admin Privilege Granted, Okta User Impersonation Access, Okta Application deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta MFA Disabled, Okta Network Zone Deleted, Okta Network Zone Modified, Okta Blacklist Manipulations, Okta Security Threat Configuration Updated"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected, Sekoia.io EICAR Detection"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application deleted, Okta Application modified, Okta User Impersonation Access, Okta Admin Privilege Granted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Blacklist Manipulations, Okta Network Zone Modified, Okta Security Threat Configuration Updated, Okta MFA Disabled, Okta Network Zone Deleted, Okta Network Zone Deactivated"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deactivated, Okta Network Zone Deleted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json index 7d9f748d38..a5844a5a79 100644 --- a/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e8ca856f-8a58-490b-bea4-247b12b3d74b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OpenVPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json index c620496ca4..d1bf61ba68 100644 --- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, NTDS.dit File In Suspicious Directory, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials, WCE wceaux.dll Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Allowed Python Program, Netsh RDP Port Forwarding, SELinux Disabling, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, Netsh Allow Command, Disabled Service, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Generic-reverse-shell-oneliner, Venom Multi-hop Proxy agent detection, Phorpiex DriveMgr Command, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Linux Bash Reverse Shell, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, Interactive Terminal Spawned via Python, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Download From URL, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Socat Reverse Shell Detection"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, NlTest Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Copying Browser Files With Credentials, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Rubeus Tool Command-line, Process Trace Alteration, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, SELinux Disabling, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled Service, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Interactive Terminal Spawned via Python, Generic-reverse-shell-oneliner, Phorpiex DriveMgr Command, PowerShell Download From URL, Elise Backdoor, Microsoft Office Creating Suspicious File, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, Socat Reverse Shell Detection, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Python Offensive Tools and Packages, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, PowerShell Execution Via Rundll32, Suspicious Taskkill Command, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Exfiltration Via Pscp"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Venom Multi-hop Proxy agent detection, Socat Relaying Socket"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, Linux Remove Immutable Attribute"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, PowerCat Function Loading"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json index 454df6b581..35bc68aaf1 100644 --- a/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_eb727929-6a06-4e68-a09d-cf0e5daf3ccd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Email Attachment Received"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Postfix", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json index 8d6b97d9cc..a1d6c9fab9 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Microsoft Exchange Suspicious Paths, Microsoft Exchange Server Creating Unusual Files"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File, Aspnet Compiler"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 PrintNightmare Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Microsoft Exchange Server Creating Unusual Files, ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Aspnet Compiler, Sekoia.io EICAR Detection, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json index d84c987116..dbc6b94739 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee54dd8e-4bd4-4fe8-9d9d-1a018cd8c4bb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Windows Log Insight", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Impacket Addcomputer"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Impacket Addcomputer"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json index 73a21d18b2..e5c60d5075 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, SEKOIA.IO Intelligence Feed, Dynamic DNS Contacted"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cryptomining, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json index 8e87681c80..6aa509d031 100644 --- a/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f0a10c21-37d1-419f-8671-77903dc8de69_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Check Point NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, TrevorC2 HTTP Communication, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json index 2a8b3d45b2..d7f71acabb 100644 --- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-26855 Exchange SSRF, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-1147 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-11776 Apache Struts2, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential LokiBot User-Agent, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json index 3b96b97779..745be5f072 100644 --- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway HTTP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json index 79117bf791..95b508a357 100644 --- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Exfiltration Via Pscp, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Winword wrong parent, Csrss Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected, Windows Update LolBins, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Winlogon wrong parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious DNS Child Process, Taskhost Wrong Parent, Dllhost Wrong Parent, Usage Of Sysinternals Tools, Rare Lsass Child Found, PsExec Process, Lsass Wrong Parent, Logonui Wrong Parent, Rare Logonui Child Found, Smss Wrong Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity, FlowCloud Malware, Blue Mockingbird Malware, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Process Memory Dump Using Comsvcs, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, Copying Browser Files With Credentials"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Mshta Execution, CMSTP Execution, Mshta JavaScript Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Regsvr32 Execution, Suspicious Taskkill Command, Suspicious Control Process, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Empire Monkey Activity, Explorer Process Executing HTA File, MOFComp Execution, Equation Group DLL_U Load, MavInject Process Injection, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, AMSI Deactivation Using Registry Key, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh Port Forwarding, Debugging Software Deactivation, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Disabled IE Security Features, Fail2ban Unban IP, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Dism Disabling Windows Defender, Address Space Layout Randomization (ASLR) Alteration, ETW Tampering, AMSI Deactivation Using Registry Key, Netsh Allow Command, Netsh Port Opening, WMIC Uninstall Product, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Raccine Uninstall, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable Using Registry, Package Manager Alteration, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Windows Firewall Changes, Netsh RDP Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Elise Backdoor"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SquirrelWaffle Malspam Execution Loading DLL, Generic-reverse-shell-oneliner, AutoIt3 Execution From Suspicious Folder, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Sekoia.io EICAR Detection, Microsoft Defender Antivirus Threat Detected, Aspnet Compiler, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Windows Script Execution, PowerShell Download From URL, Trickbot Malware Activity, Suspicious Taskkill Command, XSL Script Processing And SquiblyTwo Attack, Elise Backdoor, Powershell Web Request, Mshta Suspicious Child Process, WMIC Uninstall Product, PowerShell Malicious Nishang PowerShell Commandlets, MalwareBytes Uninstallation, Lazarus Loaders, Sysprep On AppData Folder, Bloodhound and Sharphound Tools Usage, QakBot Process Creation, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Linux Bash Reverse Shell, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Downgrade Attack, Microsoft Office Spawning Script, Default Encoding To UTF-8 PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Allow Command"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe, Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Searchindexer Wrong Parent, Spoolsv Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Smss Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Stormshield Ses Emergency Block, Explorer Process Executing HTA File, Suspicious Outlook Child Process, Stormshield Ses Critical Not Block, Stormshield Ses Critical Block, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs, Microsoft Office Spawning Script, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMI Install Of Binary, Impacket Wmiexec Module, Blue Mockingbird Malware, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec, Hiding Files With Attrib.exe"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Compress Data for Exfiltration via Archiver, Data Compressed With Rar"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Compression Followed By Suppression"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, Suspicious PrinterPorts Creation (CVE-2020-1048), Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Mshta JavaScript Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, PowerShell Execution Via Rundll32"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment, List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Windows Script Execution, QakBot Process Creation, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera, Remote Access Tool Domain"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, CMSTP UAC Bypass via COM Object Access, MOFComp Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Enabling Restricted Admin Mode, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Linux Suspicious Search, Outlook Registry Access, Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Hangul Word Processor Child Process"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Stormshield SES", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, OneNote Suspicious Children Process, Taskhost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, New Service Creation, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Spoolsv Wrong Parent, Winlogon wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Rare Logonui Child Found, Rare Lsass Child Found, Suspicious DNS Child Process, OneNote Suspicious Children Process, Taskhost Wrong Parent, PsExec Process, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Searchprotocolhost Child Found, Lsass Wrong Parent, Windows Update LolBins, Smss Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Exfiltration Via Pscp, Csrss Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Winword wrong parent, Microsoft Defender Antivirus Threat Detected, Dllhost Wrong Parent, Logonui Wrong Parent, Searchprotocolhost Wrong Parent, SolarWinds Wrong Child Process, Userinit Wrong Parent, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Winlogon wrong parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, FlowCloud Malware, Ursnif Registry Key, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Trace Alteration, Rubeus Tool Command-line, Grabbing Sensitive Hives Via Reg Utility, Suspicious CommandLine Lsassy Pattern"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, MOFComp Execution, Equation Group DLL_U Load, CertOC Loading Dll, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious Regsvr32 Execution, Suspicious Windows Installer Execution, Suspicious DLL Loading By Ordinal, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regasm Regsvcs Usage, Control Panel Items, Mshta JavaScript Execution, Suspicious Control Process, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, CMSTP UAC Bypass via COM Object Access, xWizard Execution, CMSTP Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Fail2ban Unban IP, Netsh RDP Port Opening, Raccine Uninstall, Disabled IE Security Features, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Port Opening, Windows Firewall Changes, Clear EventLogs Through CommandLine, FLTMC command usage, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, ETW Tampering, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Suspicious Microsoft Defender Antivirus Exclusion Command, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, AMSI Deactivation Using Registry Key, Dism Disabling Windows Defender, Netsh Allowed Python Program, Microsoft Defender Antivirus Disable Using Registry, Disable .NET ETW Through COMPlus_ETWEnabled, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: MalwareBytes Uninstallation, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Elise Backdoor, Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Linux Bash Reverse Shell, Generic-reverse-shell-oneliner, Aspnet Compiler, Phorpiex DriveMgr Command, Exploited CVE-2020-10189 Zoho ManageEngine, Elise Backdoor, PowerShell Download From URL, Mshta Suspicious Child Process, Suspicious Cmd.exe Command Line, PowerShell EncodedCommand, Suspicious Windows Script Execution, Lazarus Loaders, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Sysprep On AppData Folder, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Downgrade Attack, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Threat Detected, Powershell Web Request, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious CodePage Switch with CHCP, Suspicious Outlook Child Process, Sekoia.io EICAR Detection, MalwareBytes Uninstallation, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Exploiting SetupComplete.cmd CVE-2019-1378, XSL Script Processing And SquiblyTwo Attack, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, QakBot Process Creation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Netsh Allow Command, Netsh Port Opening, Windows Firewall Changes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, TOR Usage Generic Rule"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Taskhost Wrong Parent, Smss Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Searchprotocolhost Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Mshta Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Rclone Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Hangul Word Processor Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Stormshield Ses Critical Not Block, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Sysmon Windows File Block Executable, Stormshield Ses Emergency Block, Microsoft Defender Antivirus Threat Detected, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Stormshield Ses Critical Block, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, Suspicious Outlook Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Impacket Wmiexec Module, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Blue Mockingbird Malware, Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, Linux Suspicious Nohup Exec"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Compress Data for Exfiltration via Archiver, Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Microsoft Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Compression Followed By Suppression"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Compression Followed By Suppression, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, Microsoft Defender Antivirus Disabled Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Bloodhound and Sharphound Tools Usage, PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution, Suspicious Taskkill Command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious DLL Loading By Ordinal, PowerShell Execution Via Rundll32, Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery, Listing Systemd Environment"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All, File Or Folder Permissions Modifications, Linux Remove Immutable Attribute"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Microsoft Office Spawning Script, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, QakBot Process Creation, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, ProxyShell Microsoft Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain, Remote Monitoring and Management Software - AnyDesk, Remote Monitoring and Management Software - Atera"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Component Object Model Hijacking, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Password Change On Directory Service Restore Mode (DSRM) Account, Enabling Restricted Admin Mode, Add User to Privileged Group"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Linux Suspicious Search, Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, Container Credential Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: FLTMC command usage, ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain, Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1546.015", "score": 100, "comment": "Rules: Component Object Model Hijacking"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Exfiltration And Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, DNS Tunnel Technique From MuddyWater, Cryptomining, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Hangul Word Processor Child Process, Suspicious Double Extension"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious CodePage Switch with CHCP"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Active Directory Data Export Using Csvde, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1564.011", "score": 100, "comment": "Rules: Linux Suspicious Nohup Exec"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json index 4b7aff33f8..b5f1da78b6 100644 --- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS CloudFront", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Potential Bazar Loader User-Agents, Potential LokiBot User-Agent, SEKOIA.IO Intelligence Feed, Cryptomining, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Potential LokiBot User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json index f8c11ca669..642b651c14 100644 --- a/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ff1873e7-8757-4b1a-b0ca-b33f9b27f3d9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cryptomining, Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Potential LokiBot User-Agent, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Dynamic DNS Contacted, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-0604 SharePoint, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-26855 Exchange SSRF, CVE-2019-11510 Pulse Secure Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2018-11776 Apache Struts2, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x HAProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Dynamic DNS Contacted, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential LokiBot User-Agent, Koadic MSHTML Command, Cobalt Strike HTTP Default POST Beaconing, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Cryptomining, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-0604 SharePoint, CVE-2021-21985 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-21972 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Microsoft Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, LokiBot Default C2 URL, Potential LokiBot User-Agent, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Cryptomining"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Access Tool Domain"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: TOR Usage Generic Rule"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Sekoia.io EICAR Detection"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md index 7407e9b64b..37e5c1cded 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md @@ -1,4 +1,4 @@ -Changelog _last update on 2024-05-31_ +Changelog _last update on 2024-06-06_ ## Changelog diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md index a70d229266..569e7ef52c 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md @@ -1,4 +1,4 @@ -Rules catalog includes **882 built-in detection rules** ([_last update on 2024-05-31_](rules_changelog.md)). +Rules catalog includes **882 built-in detection rules** ([_last update on 2024-06-06_](rules_changelog.md)). ## Reconnaissance **Gather Victim Identity Information** diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md index a64b011b8a..816ebdf99d 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.md @@ -3,12 +3,96 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This documentation is updated automatically and is based solely on the fields used by the intake which are checked against our rules. This means that some rules will be listed but might not be relevant with the intake. [SEKOIA.IO x Palo Alto NGFW on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json){ .md-button } +??? abstract "Bazar Loader DGA (Domain Generation Algorithm)" + + Detects Bazar Loader domains based on the Bazar Loader DGA + + - **Effort:** elementary + ??? abstract "Burp Suite Tool Detected" Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner). - **Effort:** intermediate +??? abstract "CVE-2018-11776 Apache Struts2" + + Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. + + - **Effort:** intermediate + +??? abstract "CVE-2019-0604 SharePoint" + + Detects the exploitation of the SharePoint vulnerability (CVE-2019-0604). + + - **Effort:** advanced + +??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit" + + Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA. + + - **Effort:** elementary + +??? abstract "CVE-2020-1147 SharePoint" + + Detection of SharePoint vulnerability CVE-2020-1147. + + - **Effort:** advanced + +??? abstract "CVE-2020-14882 Oracle WebLogic Server" + + Detects the exploitation of the Oracle WebLogic Server vulnerability (CVE-2020-16952). + + - **Effort:** advanced + +??? abstract "CVE-2020-17530 Apache Struts RCE" + + Detects the exploitation of the Apache Struts RCE vulnerability (CVE-2020-17530). + + - **Effort:** intermediate + +??? abstract "CVE-2021-20021 SonicWall Unauthenticated Administrator Access" + + Detects the exploitation of SonicWall Unauthenticated Admin Access. + + - **Effort:** advanced + +??? abstract "CVE-2021-20023 SonicWall Arbitrary File Read" + + Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data. + + - **Effort:** advanced + +??? abstract "CVE-2021-21972 VMware vCenter" + + The vSphere Client (HTML5) contains a remote code execution vulnerability in a vCenter Server plugin. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2). POST request on the following PATH "/ui/vropspluginui/rest/services/uploadova". If in response body (500) the words it has "uploadFile", that means the vCenter is available to accept files via POST without any restrictions. + + - **Effort:** intermediate + +??? abstract "CVE-2021-21985 VMware vCenter" + + The VMware vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server. A malicious actor with network access to port 443 may exploit this issue to execute commands with unrestricted privileges on the underlying operating system that hosts vCenter Server. This affects VMware vCenter Server (7.0 before 7.0 U2b, 6.7 before 6.7 U3n and 6.5 before 6.5 U3p) and VMware Cloud Foundation (4.x before 4.2.1 and 3.x before 3.10.2.1). + + - **Effort:** advanced + +??? abstract "CVE-2021-22123 Fortinet FortiWeb OS Command Injection" + + Detects Fortinet FortiWeb OS Command Injection (August 2021) vulnerability exploitation attempt. A remote, authenticated attacker can execute arbitrary commands on the system hosting a vulnerable FortiWeb WAF by sending a POST request with the command in the name field. At the time of writing this rule, it would appear that the request would respond in code 500 for a successful exploitation attempt. + + - **Effort:** advanced + +??? abstract "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability" + + Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product. + + - **Effort:** intermediate + +??? abstract "CVE-2021-26855 Exchange SSRF" + + Detects the exploitation of ProyxLogon vulerability on Exchange servers. + + - **Effort:** advanced + ??? abstract "Cron Files Alteration" Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation. @@ -21,6 +105,18 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This - **Effort:** master +??? abstract "Detect requests to Konni C2 servers" + + This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September. + + - **Effort:** elementary + +??? abstract "Download Files From Suspicious TLDs" + + Detects download of certain file types from hosts in suspicious TLDs + + - **Effort:** master + ??? abstract "Dynamic DNS Contacted" Detect communication with dynamic dns domain. This kind of domain is often used by attackers. This rule can trigger false positive in non-controlled environment because dynamic dns is not always malicious. @@ -33,6 +129,12 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This - **Effort:** master +??? abstract "FoggyWeb HTTP Default GET/POST Requests" + + Detects GET or POST request pattern observed within the first FoggyWeb campaign detected by Microsoft. + + - **Effort:** advanced + ??? abstract "Internet Scanner" Detects known scanner IP addresses. Alert is only raised when the scan hits an opened port, on TCP or UDP. This could be a very noisy rule, so be careful to check your detection perimeter before activation. @@ -45,6 +147,12 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This - **Effort:** master +??? abstract "Koadic MSHTML Command" + + Detects Koadic payload using MSHTML module + + - **Effort:** intermediate + ??? abstract "NTDS.dit File In Suspicious Directory" The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes. @@ -63,18 +171,48 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This - **Effort:** advanced +??? abstract "Possible Malicious File Double Extension" + + Detects request to potential malicious file with double extension + + - **Effort:** elementary + +??? abstract "Potential Azure AD Phishing Page (Adversary-in-the-Middle)" + + Detects an HTTP request to an URL typical of the Azure AD authentication flow, but towards a domain that is not one the legitimate Microsoft domains used for Azure AD authentication. + + - **Effort:** intermediate + ??? abstract "Potential DNS Tunnel" Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels. - **Effort:** advanced +??? abstract "Privilege Escalation Awesome Scripts (PEAS)" + + Detect PEAS privileges escalation scripts and binaries + + - **Effort:** elementary + +??? abstract "ProxyShell Microsoft Exchange Suspicious Paths" + + Detects suspicious calls to Microsoft Exchange resources, in locations related to webshells observed in campaigns using this vulnerability. + + - **Effort:** elementary + ??? abstract "RTLO Character" Detects RTLO (Right-To-Left character) in file and process names. - **Effort:** elementary +??? abstract "Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL" + + Detects Raccoon Stealer 2.0 malware downloading legitimate third-party DLLs from its C2 server. These legitimate DLLs are used by the information stealer to collect data on the compromised hosts. + + - **Effort:** elementary + ??? abstract "Remote Access Tool Domain" Detects traffic toward a domain flagged as a Remote Administration Tool (RAT). @@ -99,12 +237,24 @@ The following Sekoia.io built-in rules match the intake **Palo Alto NGFW**. This - **Effort:** master +??? abstract "Suspicious Download Links From Legitimate Services" + + Detects users clicking on Google docs links to download suspicious files. This technique was used a lot by Bazar Loader in the past. + + - **Effort:** elementary + ??? abstract "Suspicious Email Attachment Received" Detects email containing an .exe|.dll|.ps1|.bat|.hta attachment. Most of the time files send by mail like this are malware. - **Effort:** elementary +??? abstract "Suspicious URI Used In A Lazarus Campaign" + + Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised. + + - **Effort:** intermediate + ??? abstract "TOR Usage Generic Rule" Detects TOR usage globally, whether the IP is a destination or source. TOR is short for The Onion Router, and it gets its name from how it works. TOR intercepts the network traffic from one or more apps on user’s computer, usually the user web browser, and shuffles it through a number of randomly-chosen computers before passing it on to its destination. This disguises user location, and makes it harder for servers to pick him/her out on repeat visits, or to tie together separate visits to different sites, this making tracking and surveillance more difficult. Before a network packet starts its journey, user’s computer chooses a random list of relays and repeatedly encrypts the data in multiple layers, like an onion. Each relay knows only enough to strip off the outermost layer of encryption, before passing what’s left on to the next relay in the list. diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md index 42d957662a..ee526a1bee 100644 --- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md +++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md @@ -1,6 +1,6 @@ # Built-in detection rules, EventIDs and EventProviders relations SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture. -This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-05-31_ +This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2024-06-06_ The colors of the EventIDs in this page should be interpreted as follow: