From 4eb41f08e13509fdea1098d9e8a9e299c1e23735 Mon Sep 17 00:00:00 2001 From: GuillaumeCSekoia Date: Fri, 15 Sep 2023 14:51:55 +0000 Subject: [PATCH] Refresh Built-in detection rules documentation --- ...f5e-a585fc7c8fc0_do_not_edit_manually.json | 2 +- ...41e-af269b45bef1_do_not_edit_manually.json | 2 +- ...7d1-588319e39d71_do_not_edit_manually.json | 2 +- ...5c4-c8174c307e48_do_not_edit_manually.json | 2 +- ...06d-f92f3a46bcdd_do_not_edit_manually.json | 2 +- ...575-9e43af779f9f_do_not_edit_manually.json | 2 +- ...5e2-4597e366b8c4_do_not_edit_manually.json | 2 +- ...02e-e88fe2193365_do_not_edit_manually.json | 1 + ...803-e7990afe78b6_do_not_edit_manually.json | 2 +- ...b17-90c0be6b1f10_do_not_edit_manually.json | 2 +- ...9b6-76bf5298a617_do_not_edit_manually.json | 2 +- ...fbd-01e3fac01cd5_do_not_edit_manually.json | 2 +- ...c24-2d7129137688_do_not_edit_manually.json | 2 +- ...13a-f8dd48cddc8c_do_not_edit_manually.json | 2 +- ...46b-974354a107bb_do_not_edit_manually.json | 2 +- ...cfd-43f7d9595777_do_not_edit_manually.json | 2 +- ...d19-67edc91fb063_do_not_edit_manually.json | 2 +- ...e06-7b335e439c29_do_not_edit_manually.json | 2 +- ...916-636c27ba4931_do_not_edit_manually.json | 2 +- ...b02-e72f870fcbd1_do_not_edit_manually.json | 2 +- ...901-b7fadfb0ba48_do_not_edit_manually.json | 2 +- ...038-3f7d5a3b8b11_do_not_edit_manually.json | 2 +- ...00a-2b58303cac90_do_not_edit_manually.json | 2 +- ...e47-1574946412b6_do_not_edit_manually.json | 2 +- ...750-5db882ea1266_do_not_edit_manually.json | 2 +- ...033-6f1f887a70f2_do_not_edit_manually.json | 2 +- ...597-d2944a601930_do_not_edit_manually.json | 2 +- ...6bd-91a447bb26bd_do_not_edit_manually.json | 2 +- ...f3b-f73a622c9687_do_not_edit_manually.json | 2 +- ...c99-5c2de7e1d340_do_not_edit_manually.json | 2 +- ...4fa-28d6c1f2e2a8_do_not_edit_manually.json | 2 +- ...d69-684a0b3835fc_do_not_edit_manually.json | 2 +- ...d60-8fd5e39140b3_do_not_edit_manually.json | 2 +- ...109-c6d85b91bbcf_do_not_edit_manually.json | 2 +- ...703-7452882e70da_do_not_edit_manually.json | 2 +- ...2ff-0e1cde564161_do_not_edit_manually.json | 2 +- ...f81-30df7b1963a0_do_not_edit_manually.json | 2 +- ...e09-44d31626b694_do_not_edit_manually.json | 2 +- ...e5e-5c712b37248e_do_not_edit_manually.json | 2 +- ...28f-3ee3cd5b9a8e_do_not_edit_manually.json | 2 +- ...47b-ef64dd87c981_do_not_edit_manually.json | 2 +- ...746-b2b9f366e34b_do_not_edit_manually.json | 2 +- ...780-b225c59e9f99_do_not_edit_manually.json | 2 +- ...60f-2d3fd0b46987_do_not_edit_manually.json | 2 +- ...c15-3828627ba899_do_not_edit_manually.json | 2 +- ...5de-5c2722fa020e_do_not_edit_manually.json | 2 +- ...fb3-f7c543fd84a5_do_not_edit_manually.json | 2 +- ...b6d-3f79045f28fa_do_not_edit_manually.json | 2 +- ...a81-31090d723a60_do_not_edit_manually.json | 2 +- ...cbb-bc830118c1f9_do_not_edit_manually.json | 2 +- ...079-ab35ac6b2ab9_do_not_edit_manually.json | 2 +- ...b3d-b7cb7b7db618_do_not_edit_manually.json | 2 +- ...b6f-a8e4dcac3d1d_do_not_edit_manually.json | 2 +- ...f1d-772e9a30f0dd_do_not_edit_manually.json | 2 +- ...563-db21da09cafd_do_not_edit_manually.json | 2 +- ...bcc-45fd108ba1be_do_not_edit_manually.json | 2 +- ...93f-bbd70d114188_do_not_edit_manually.json | 2 +- ...90d-9af2f7be7019_do_not_edit_manually.json | 2 +- ...76c-408472fcfebb_do_not_edit_manually.json | 2 +- ...060-a9d9f2d270db_do_not_edit_manually.json | 2 +- ...afa-595bd430c0cb_do_not_edit_manually.json | 2 +- ...e37-842703494be0_do_not_edit_manually.json | 2 +- ...ae5-aa67d2f29fcb_do_not_edit_manually.json | 2 +- ...35b-3607d01150e6_do_not_edit_manually.json | 2 +- ...55c-34d2301c1f51_do_not_edit_manually.json | 2 +- ...0b6-7df6738d5d7f_do_not_edit_manually.json | 2 +- ...af7-bc4f81ad6df3_do_not_edit_manually.json | 2 +- ...79a-f97be24cc02d_do_not_edit_manually.json | 2 +- ...e56-0242ac120002_do_not_edit_manually.json | 2 +- ...0ce-dbcae04eaf26_do_not_edit_manually.json | 2 +- ...b7a-4f2d0a518b04_do_not_edit_manually.json | 2 +- ...475-a7f43754ab6d_do_not_edit_manually.json | 2 +- ...5aa-2a6a900df99b_do_not_edit_manually.json | 2 +- ...3ba-652eca2e8ed0_do_not_edit_manually.json | 2 +- ...43e-9848cadb1f99_do_not_edit_manually.json | 2 +- ...844-f7f4d7348199_do_not_edit_manually.json | 2 +- ...a64-fb65d4b0a4cf_do_not_edit_manually.json | 2 +- ...847-983f38efb8ff_do_not_edit_manually.json | 2 +- ...602-a5994544d9ed_do_not_edit_manually.json | 2 +- ...f71-46155af56570_do_not_edit_manually.json | 2 +- ...15f-1f83807ff3cc_do_not_edit_manually.json | 2 +- ...659-4cb814431e29_do_not_edit_manually.json | 2 +- ...9c5-e075f3fb3216_do_not_edit_manually.json | 2 +- ...e89-f2b8be4baf4e_do_not_edit_manually.json | 2 +- ...8ed-b7fb3d7fa232_do_not_edit_manually.json | 2 +- ...785-c1276277b5d7_do_not_edit_manually.json | 2 +- ...e0e-ca4e6cecf7e6_do_not_edit_manually.json | 2 +- ...af5-b69c7b679887_do_not_edit_manually.json | 2 +- ...cb6-2f574bd4ce51_do_not_edit_manually.json | 2 +- ...399-ddd992d48472_do_not_edit_manually.json | 2 +- ...c2d-e2cfa46bf0e5_do_not_edit_manually.json | 2 +- ...098-fe4a9e0aeaa0_do_not_edit_manually.json | 1 + ...in_rules_changelog_do_not_edit_manually.md | 90 +- .../built_in_rules_do_not_edit_manually.md | 52 +- ...-85c4-c8174c307e48_do_not_edit_manually.md | 6 + ...-906d-f92f3a46bcdd_do_not_edit_manually.md | 4 +- ...-802e-e88fe2193365_do_not_edit_manually.md | 1090 ++++++++++++ ...-8e06-7b335e439c29_do_not_edit_manually.md | 6 + ...-bb02-e72f870fcbd1_do_not_edit_manually.md | 6 + ...-8038-3f7d5a3b8b11_do_not_edit_manually.md | 6 + ...-8033-6f1f887a70f2_do_not_edit_manually.md | 6 + ...-9c99-5c2de7e1d340_do_not_edit_manually.md | 6 + ...-94fa-28d6c1f2e2a8_do_not_edit_manually.md | 6 + ...-b780-b225c59e9f99_do_not_edit_manually.md | 6 + ...-9b6f-a8e4dcac3d1d_do_not_edit_manually.md | 6 + ...-bf1d-772e9a30f0dd_do_not_edit_manually.md | 6 + ...-9bcc-45fd108ba1be_do_not_edit_manually.md | 6 + ...-943e-9848cadb1f99_do_not_edit_manually.md | 6 + ...-9098-fe4a9e0aeaa0_do_not_edit_manually.md | 1474 +++++++++++++++++ .../built_in_detection_rules_eventids.md | 860 +++++----- 110 files changed, 3249 insertions(+), 575 deletions(-) create mode 100644 _shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json create mode 100644 _shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json create mode 100644 _shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md create mode 100644 _shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json index 49c7cf5ac7..7539aafa72 100644 --- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Kubernetes Engine (GKE)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Disabled IE Security Features"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Kubernetes Engine (GKE)", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, PowerShell EncodedCommand"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json index 4ab91434dd..455e4b86bc 100644 --- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Control Process, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, Mshta JavaScript Execution, CertOC Loading Dll, AccCheckConsole Executing Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json index fb2bea26d8..d933cbf87b 100644 --- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Citrix ADC / NetScaler [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Citrix ADC / NetScaler [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json index 5f905b8d0d..0b7f7410cd 100644 --- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WithSecure Elements [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WithSecure Elements [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Control Process, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, Mshta JavaScript Execution, CertOC Loading Dll, AccCheckConsole Executing Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json index d2a5909678..a7130722bd 100644 --- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Drive Reports", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json index 7736d0304c..0d2bcbeb87 100644 --- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, Socat Reverse Shell Detection, PowerShell EncodedCommand, SquirrelWaffle Malspam Execution Loading DLL, Microsoft 365 Defender Cloud App Security Alert, Suspicious VBS Execution Parameter, Microsoft Defender for Office 365 Alert, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft 365 Defender Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Microsoft 365 Defender For Endpoint Alert, Sysprep On AppData Folder, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Netsh Port Forwarding, SELinux Disabling, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Netsh Allowed Python Program, Netsh Port Forwarding, SELinux Disabling, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft 365 Defender Alert, Winword Document Droppers, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Microsoft 365 Defender For Endpoint Alert, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft 365 Defender Cloud App Security Alert, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, Microsoft Defender for Office 365 Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft 365 Defender Alert, SolarWinds Suspicious File Creation, SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Microsoft 365 Defender For Endpoint Alert, Suspicious Commands From MS SQL Server Shell, PsExec Process, Usage Of Sysinternals Tools, Wininit Wrong Parent, Winrshost Wrong Parent, Microsoft 365 Defender Cloud App Security Alert, Windows Update LolBins, Usage Of Procdump With Common Arguments, Microsoft Defender for Office 365 Alert"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, PsExec Process, Usage Of Sysinternals Tools, Wininit Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Winrshost Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, SELinux Disabling, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled IE Security Features, Windows Firewall Changes, Suspicious Driver Loaded, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Phorpiex DriveMgr Command, Microsoft 365 Defender Alert, Microsoft Defender for Office 365 Alert, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Socat Reverse Shell Detection, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Microsoft 365 Defender Cloud App Security Alert, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Socat Relaying Socket, Suspicious Outlook Child Process, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Python Offensive Tools and Packages, Microsoft 365 Defender For Endpoint Alert, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes, Leviathan Registry Key Activity"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Winword Document Droppers, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 Defender Alert, Microsoft Defender for Office 365 Alert, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Microsoft 365 Defender Cloud App Security Alert, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, Microsoft 365 Defender For Endpoint Alert, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Winrshost Wrong Parent, PsExec Process, Wininit Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft 365 Defender Alert, Microsoft Defender for Office 365 Alert, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, Winrshost Wrong Parent, Microsoft 365 Defender Cloud App Security Alert, PsExec Process, Wininit Wrong Parent, SolarWinds Suspicious File Creation, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, Microsoft 365 Defender For Endpoint Alert, Suspicious DNS Child Process, Windows Update LolBins"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Explorer Wrong Parent, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winrshost Wrong Parent, Wininit Wrong Parent, New Service Creation, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Winrshost Wrong Parent, Wininit Wrong Parent, New Service Creation, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json index 5bd03c03a4..4c02e50942 100644 --- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware-vcenter [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware-vcenter [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json new file mode 100644 index 0000000000..79adbdd5d7 --- /dev/null +++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json @@ -0,0 +1 @@ +{"name": "SEKOIA.IO x Trend Micro Apex One [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Control Process, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, Mshta JavaScript Execution, CertOC Loading Dll, AccCheckConsole Executing Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json index 171300edeb..dc3cffbb46 100644 --- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Failed To Log In To The Management Console, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR SSO User Added"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, SentinelOne EDR User Logged In To The Management Console, PowerShell EncodedCommand, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, SentinelOne EDR Custom Rule Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Kill Success, Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR Threat Detected (Malicious), Suspicious PowerShell Invocations - Specific, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Quarantine Success, Suspicious Taskkill Command, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR Malicious Threat Not Mitigated, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, SentinelOne EDR Threat Mitigation Report Remediate Success, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Failed To Log In To The Management Console, SolarWinds Wrong Child Process, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Detected (Malicious), Usage Of Procdump With Common Arguments, SentinelOne EDR SSO User Added"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Disabled IE Security Features"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, CertOC Loading Dll"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Cron Files Alteration, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, SentinelOne EDR Threat Mitigation Report Quarantine Success, Suspicious Taskkill Command, SentinelOne EDR Threat Detected (Suspicious), Suspicious PowerShell Invocations - Specific, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Not Mitigated, DNS Exfiltration and Tunneling Tools Execution, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, Suspicious Microsoft Defender Antivirus Exclusion Command, Default Encoding To UTF-8 PowerShell, SentinelOne EDR SSO User Added, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Threat Mitigation Report Quarantine Failed, Lazarus Loaders, SentinelOne EDR User Logged In To The Management Console, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, MalwareBytes Uninstallation, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Mitigation Report Kill Success, Suspicious Cmd.exe Command Line, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Agent Disabled, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, Download Files From Suspicious TLDs, SentinelOne EDR User Logged In To The Management Console, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Custom Rule Alert, SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, Usage Of Procdump With Common Arguments, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json index 27397a0a07..abc48c52bb 100644 --- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json index 3af4533da3..3f2198e662 100644 --- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason MalOp activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, PsExec Process, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, PsExec Process, Windows Update LolBins, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Winword Document Droppers"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason MalOp activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, PowerShell EncodedCommand, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Windows Update LolBins"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json index ac6b520986..dd35a67e52 100644 --- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Crowdstrike Telemetry [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Disabled IE Security Features"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Venom Multi-hop Proxy agent detection, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Crowdstrike Telemetry [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, Suspicious Driver Loaded, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, WMIC Uninstall Product, PowerShell EncodedCommand"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json index 348967e061..d0aa2520f7 100644 --- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Disabled IE Security Features"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, PowerShell EncodedCommand"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json index 986cc6ccba..c8de0b27b9 100644 --- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json index b47bab5157..ff6188edc6 100644 --- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Active Directory", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Active Directory", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json index 730ebd82df..dc05b2f035 100644 --- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json index 9fd4da8261..670df4a718 100644 --- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x RSA SecurID [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Disabled IE Security Features"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x RSA SecurID [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, PowerShell EncodedCommand"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json index 3acdebcbfe..b8dde947c8 100644 --- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection Low Severity, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Critical Severity, Cobalt Strike Default Beacons Names, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection High Severity"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Trickbot Malware Activity, CrowdStrike Falcon Intrusion Detection Medium Severity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, CrowdStrike Falcon Intrusion Detection Low Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, CrowdStrike Falcon Intrusion Detection Critical Severity, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection High Severity, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, CrowdStrike Falcon Intrusion Detection Informational Severity, MalwareBytes Uninstallation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, SolarWinds Suspicious File Creation, Smss Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, Windows Update LolBins, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, CrowdStrike Falcon Intrusion Detection, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, CrowdStrike Falcon Intrusion Detection Low Severity, DNS Exfiltration and Tunneling Tools Execution, Trickbot Malware Activity, QakBot Process Creation, CrowdStrike Falcon Intrusion Detection, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Critical Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, CrowdStrike Falcon Intrusion Detection High Severity, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Powershell Web Request, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Critical Severity"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Smss Wrong Parent, CrowdStrike Falcon Intrusion Detection, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, CrowdStrike Falcon Intrusion Detection Critical Severity, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, Rare Lsass Child Found, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Wsmprovhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json index 8ad632a1d7..1e2297eb23 100644 --- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json index 512a009df7..1c122dfac9 100644 --- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Spawning Script, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SSH X11 Forwarding, SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Suspicious desktop.ini Action, Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, NjRat Registry Changes, Powershell Winlogon Helper DLL, Narrator Feedback-Hub Persistence, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Legitimate Process Execution From Unusual Folder, Suspicious Cmd File Copy Command To Network Share, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Dynwrapx Module Loading, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, LSASS Access From Non System Account, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, LSASS Memory Dump, Lsass Access Through WinRM, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, Credential Dumping Tools Service Execution, LSASS Memory Dump File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Impacket Secretsdump.py Tool, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File In Suspicious Directory, LSASS Memory Dump File Creation, Rubeus Tool Command-line, Transfering Files With Credential Data Via Network Shares, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names, Copying Sensitive Files With Credential Data, Active Directory Replication from Non Machine Account, RedMimicry Winnti Playbook Dropped File, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Cred Dump Tools Dropped Files, LSASS Access From Non System Account, Malicious Service Installations, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Mimikatz LSASS Memory Access, WCE wceaux.dll Creation, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, DCSync Attack, NetNTLM Downgrade Attack, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, HackTools Suspicious Process Names In Command Line, Lsass Access Through WinRM, Credential Dumping By LaZagne, Suspicious SAM Dump, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, Microsoft Malware Protection Engine Crash, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, MalwareBytes Uninstallation, Raccine Uninstall, Windows Defender Deactivation Using PowerShell Script, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disabled IE Security Features, Microsoft Malware Protection Engine Crash, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Python Opening Ports, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspect Svchost Memory Access, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Forwarding, Powershell AMSI Bypass, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, Disable Security Events Logging Adding Reg Key MiniNt, MalwareBytes Uninstallation, Raccine Uninstall, Windows Defender Deactivation Using PowerShell Script, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PowerShell Keywords, FromBase64String Command Line, Malicious PowerShell Keywords, In-memory PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Turla Named Pipes, Suspicious Taskkill Command, Alternate PowerShell Hosts Pipe, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, PowerShell - NTFS Alternate Data Stream, Suspicious XOR Encoded PowerShell Command Line, WMImplant Hack Tool, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Credential Prompt, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious PowerShell Keywords, Trickbot Malware Activity, FromBase64String Command Line, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, In-memory PowerShell, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Malspam Execution Registering Malicious DLL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Turla Named Pipes, Suspicious Taskkill Command, Alternate PowerShell Hosts Pipe, PowerShell Invoke Expression With Registry, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, PowerShell - NTFS Alternate Data Stream, Suspicious XOR Encoded PowerShell Command Line, Suspicious Scripting In A WMI Consumer, WMImplant Hack Tool, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, Lazarus Loaders, PowerShell Credential Prompt, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, MalwareBytes Uninstallation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Secure Deletion With SDelete, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Active Directory User Backdoors, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smbexec.py Service Installation, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious PsExec Execution, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smbexec.py Service Installation, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Metasploit PSExec Service Creation, Windows Update LolBins, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious PsExec Execution, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Denied Access To Remote Desktop, Protected Storage Service Access, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell, MMC20 Lateral Movement, Lsass Access Through WinRM, RDP Login From Localhost, RDP Port Change Using Powershell, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, User Added to Local Administrators, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Event Subscription, New DLL Added To AppCertDlls Registry Key, Suspicious Scripting In A WMI Consumer, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Chafer (APT 39) Activity, StoneDrill Service Install, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Chafer (APT 39) Activity, StoneDrill Service Install, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Process Herpaderping, Taskhost Wrong Parent, Smss Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Malicious Named Pipe, Dynwrapx Module Loading, Svchost Wrong Parent, Process Hollowing Detection, Spoolsv Wrong Parent, Cobalt Strike Named Pipes, CreateRemoteThread Common Process Injection, Wmiprvse Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Malspam Execution Registering Malicious DLL, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, Disable Security Events Logging Adding Reg Key MiniNt, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Remote Registry Management Using Reg Utility, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Secure Deletion With SDelete, Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Python Opening Ports, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, AD User Enumeration, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Network Connection Via Certutil, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Suspicious SAM Dump, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Chafer (APT 39) Activity, Suspicious LDAP-Attributes Used, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 1"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, TUN/TAP Driver Installation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Suspicious HWP Child Process, Exploit For CVE-2015-1641, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, Ngrok Process Execution, SSH Tunnel Traffic"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Suspicious desktop.ini Action, Ryuk Ransomware Persistence Registry Key, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, NjRat Registry Changes"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Network Connection Via Certutil"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Phosphorus Domain Controller Discovery, AdFind Usage, PowerView commandlets 1"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Detection of default Mimikatz banner, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Threat Detected, WMI DLL Loaded Via Office, Trickbot Malware Activity, QakBot Process Creation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Mustang Panda Dropper, Microsoft Office Spawning Script, PowerShell - NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Scripting In A WMI Consumer, Default Encoding To UTF-8 PowerShell, Elise Backdoor, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, Lazarus Loaders, Suspicious VBS Execution Parameter, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Turla Named Pipes, PowerShell Credential Prompt, Suspicious Outlook Child Process, Venom Multi-hop Proxy agent detection, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, Suspicious DLL Loaded Via Office Applications, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Koadic Execution, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, In-memory PowerShell, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Powershell Web Request, Malicious PowerShell Keywords, PowerShell Invoke Expression With Registry, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Powershell AMSI Bypass, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Python Opening Ports, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Services, Disable Windows Defender Credential Guard, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Raccine Uninstall, Netsh RDP Port Opening, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Ryuk Ransomware Command Line, Disabled IE Security Features, Windows Firewall Changes, Microsoft Defender Antivirus Tampering Detected, Suspicious Driver Loaded, MalwareBytes Uninstallation, Suspect Svchost Memory Access, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Scheduled Tasks, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Desktopimgdownldr Execution, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, Dynwrapx Module Loading, CMSTP Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MavInject Process Injection, Empire Monkey Activity, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, CreateRemoteThread Common Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Process Herpaderping, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Cobalt Strike Named Pipes, Searchindexer Wrong Parent, Dynwrapx Module Loading, Taskhost Wrong Parent, Explorer Wrong Parent, Smss Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, Process Hollowing Detection, CreateRemoteThread Common Process Injection, MavInject Process Injection, Malicious Named Pipe"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Suspicious Outlook Child Process, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: LSASS Memory Dump, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Password Dumper Activity On LSASS, Impacket Secretsdump.py Tool, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, Lsass Access Through WinRM, Mimikatz Basic Commands, Credential Dumping By LaZagne, HackTools Suspicious Process Names, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Process Memory Dump Using Createdump, DPAPI Domain Backup Key Extraction, LSASS Memory Dump File Creation, Active Directory Database Dump Via Ntdsutil, Transfering Files With Credential Data Via Network Shares, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, RedMimicry Winnti Playbook Dropped File, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, NetNTLM Downgrade Attack, Rubeus Tool Command-line, LSASS Access From Non System Account, Unsigned Image Loaded Into LSASS Process, DCSync Attack, Credential Dumping Tools Service Execution, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Active Directory Replication from Non Machine Account, Malicious Service Installations, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Access From Non System Account, Windows Credential Editor Registry Key, LSASS Memory Dump, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, WMI DLL Loaded Via Office, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, Remote Registry Management Using Reg Utility, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, OceanLotus Registry Activity, DNS ServerLevelPluginDll Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Smbexec.py Service Installation, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious PsExec Execution, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Smbexec.py Service Installation, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Suspicious PsExec Execution, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Disable Windows Defender Credential Guard, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Ryuk Ransomware Command Line, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Scheduled Tasks, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Chafer (APT 39) Activity, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Chafer (APT 39) Activity, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Mustang Panda Dropper, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Detection of default Mimikatz banner, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, PowerShell EncodedCommand, Invoke-TheHash Commandlets, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, In-memory PowerShell, Powershell Web Request, Malicious PowerShell Keywords, PowerShell Invoke Expression With Registry, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Admin Share Access, Protected Storage Service Access, Lsass Access Through WinRM, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, MMC20 Lateral Movement, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMI DLL Loaded Via Office, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory, Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Control Panel Items, WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Event Subscription, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Mimikatz Basic Commands, Active Directory User Backdoors, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, GPO Executable Delivery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, PowerView commandlets 1"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, User Added to Local Administrators, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, GitLab CVE-2021-22205, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json index 09c115a125..bb26657cb7 100644 --- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet Fortiproxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet Fortiproxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Suspicious Email Attachment Received, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json index 242fe3c4ac..ac88f78dd0 100644 --- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Trickbot Malware Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled IE Security Features, Windows Firewall Changes, Microsoft Defender Antivirus Tampering Detected, Suspicious Driver Loaded, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Threat Detected, DNS Exfiltration and Tunneling Tools Execution, Trickbot Malware Activity, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json index 250cddd27a..ff9582e329 100644 --- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Disabled IE Security Features"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, PowerShell EncodedCommand"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json index 8f95480357..92b8cea487 100644 --- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Email Security Appliance [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Email Security Appliance [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json index a8b584fdc7..df2efa6993 100644 --- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json index e22b9fc3e3..382c6dab9d 100644 --- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x HarfangLab", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, Winword Document Droppers, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Sysmon Windows File Block Executable, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Trickbot Malware Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, HackTools Suspicious Process Names, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Suspicious desktop.ini Action, Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x HarfangLab", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, Microsoft Defender Antivirus Tampering Detected, Suspicious Driver Loaded, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Threat Detected, DNS Exfiltration and Tunneling Tools Execution, Trickbot Malware Activity, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Memory Dump Using Createdump, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, HackTools Suspicious Process Names, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, Winword Document Droppers, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Suspicious Outlook Child Process, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Python HTTP Server, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json index 80c2024380..92c65ddb15 100644 --- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS GuardDuty [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS GuardDuty [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty High Severity Alert"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json index 51e51aab6d..ee1ec51aa8 100644 --- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Blocked, Sophos EDR CorePUA Clean"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Blocked, Download Files From Suspicious TLDs, Sophos EDR Application Detected, Sophos EDR CorePUA Clean, Sophos EDR CorePUA Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json index ae2f6673ab..d39e2001a5 100644 --- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x McAfee Web Gateway / Skyhigh Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x McAfee Web Gateway / Skyhigh Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json index 47c1d8b04f..c253302840 100644 --- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Trickbot Malware Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, Suspicious DNS Child Process, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Winword Document Droppers"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, Suspicious Driver Loaded, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Trickbot Malware Activity, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Explorer Wrong Parent, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2019-0604 SharePoint, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json index bb2f8e1b99..6db34d1982 100644 --- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Possible Malicious File Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Potential DNS Tunnel"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Quarantined"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json index 5dda706ba6..b0aaf8cc72 100644 --- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json index ca5f9040d0..15f8327fed 100644 --- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json index 962fa8f111..f376baf96c 100644 --- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json index 7a7f6ee277..2dcb18bfe2 100644 --- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cato SASE [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cato SASE [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json index 8183833586..60cee65605 100644 --- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Spam But Allowed, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Phishing But Allowed"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Spam But Allowed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Phishing But Allowed, SEKOIA.IO Intelligence Feed, Proofpoint TAP Email Classified As Malware But Allowed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json index 87608ee8ad..b8a127c2a2 100644 --- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json index 3dbbdcaf95..706f62b697 100644 --- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json index 4f2dadba15..3ae0d28763 100644 --- a/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_4a3bb630-951a-40d9-be5e-5c712b37248e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Kubernetes Audit Log", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Kubernetes Audit Log", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json index ff47f611e7..bbb4f04d7c 100644 --- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Duo Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Duo Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json index f6bc79bf91..b1ce9a4ad1 100644 --- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortigate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortigate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json index 5222bcada0..002a0de2f4 100644 --- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Access Requests [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Access Requests [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json index fba2b15711..06a99065ce 100644 --- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco NX-OS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Venom Multi-hop Proxy agent detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Netsh Port Forwarding, SELinux Disabling, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Netsh Allowed Python Program, Netsh Port Forwarding, SELinux Disabling, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco NX-OS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, SELinux Disabling, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Phorpiex DriveMgr Command, AutoIt3 Execution From Suspicious Folder, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Socat Reverse Shell Detection, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Control Process, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, Mshta JavaScript Execution, CertOC Loading Dll, AccCheckConsole Executing Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json index de24e41368..fe13382fa5 100644 --- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json index f85219c3fc..367ecd4fff 100644 --- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Process Trace Alteration, Process Memory Dump Using Comsvcs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Restoration Abuse, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Disabled IE Security Features"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, Suspicious DLL Loading By Ordinal, CertOC Loading Dll"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Lazarus Loaders, MalwareBytes Uninstallation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh RDP Port Forwarding, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Disabled IE Security Features, Raccine Uninstall"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, PowerShell EncodedCommand"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json index bb143b2774..f8fdff1966 100644 --- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ubika WAAP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ubika WAAP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json index 1fbf74adf2..dab87a0e9f 100644 --- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json index 97c51beab4..37891ab9a0 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json index ead4178221..17cfa7defe 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Varonis Data Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Varonis Data Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json index c4053a7d61..409c5fe00d 100644 --- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Github Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Github Audit Logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub High Risk Configuration Disabled, GitHub New Organization Member, GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub Dependabot Or Vulnerability Alerts Disabled"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json index 4e171119b5..4df669f0f4 100644 --- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade Cloud [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade Cloud [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json index 4b9308e9eb..55f14fdecc 100644 --- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json index 96137c02ee..c75dc74652 100644 --- a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Taskhostw Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Trickbot Malware Activity, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Mshta Suspicious Child Process, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Microsoft Office Spawning Script, Sysprep On AppData Folder, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, SolarWinds Suspicious File Creation, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Windows Update LolBins, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Winrshost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Exploiting SetupComplete.cmd CVE-2019-1378, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Possible Malicious File Double Extension, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, RTLO Character, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, Suspicious DNS Child Process, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Winword Document Droppers"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, NlTest Usage, Trickbot Malware Activity, AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Trickbot Malware Activity, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Winword Document Droppers, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, SolarWinds Wrong Child Process, Taskhostw Wrong Parent, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Koadic MSHTML Command, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2019-0604 SharePoint, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json index 2e04dcf423..dafeedbd77 100644 --- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x TEHTRIS Endpoint Detection & Reponse", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Download Files From Suspicious TLDs, TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, TEHTRIS EDR Alert, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, PowerShell Download From URL"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, TEHTRIS EDR Alert, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Phorpiex Process Masquerading, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]} \ No newline at end of file +{"name": "SEKOIA.IO x TEHTRIS Endpoint Detection & Reponse", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, TEHTRIS EDR Alert, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Control Process, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, Mshta JavaScript Execution, CertOC Loading Dll, AccCheckConsole Executing Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json index 6d4df5c888..bd497a7993 100644 --- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Palo Alto Next-Generation Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Palo Alto Next-Generation Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json index bc4fc84404..531ac6f9ef 100644 --- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Spawning Script, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Process Execution Blocked, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Winword Document Droppers"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Add User to Privileged Group, Active Directory User Backdoors, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Impacket Secretsdump.py Tool, Wdigest Enable UseLogonCredential, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, Process Trace Alteration, Load Of dbghelp/dbgcore DLL From Suspicious Process, NTDS.dit File In Suspicious Directory, LSASS Memory Dump File Creation, Rubeus Tool Command-line, Transfering Files With Credential Data Via Network Shares, Mimikatz Basic Commands, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names, Copying Sensitive Files With Credential Data, Active Directory Replication from Non Machine Account, RedMimicry Winnti Playbook Dropped File, NTDS.dit File Interaction Through Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Cred Dump Tools Dropped Files, LSASS Access From Non System Account, Malicious Service Installations, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Mimikatz LSASS Memory Access, WCE wceaux.dll Creation, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, DCSync Attack, NetNTLM Downgrade Attack, Password Dumper Activity On LSASS, SAM Registry Hive Handle Request, HackTools Suspicious Process Names In Command Line, Lsass Access Through WinRM, Credential Dumping By LaZagne, Suspicious SAM Dump, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, Microsoft Malware Protection Engine Crash, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, MalwareBytes Uninstallation, Raccine Uninstall, Windows Defender Deactivation Using PowerShell Script, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Exclusion Configuration, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disabled IE Security Features, Microsoft Malware Protection Engine Crash, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Python Opening Ports, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspect Svchost Memory Access, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable SecurityHealth, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh Port Forwarding, Powershell AMSI Bypass, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, Disable Security Events Logging Adding Reg Key MiniNt, MalwareBytes Uninstallation, Raccine Uninstall, Windows Defender Deactivation Using PowerShell Script, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Process Herpaderping, Smss Wrong Parent, MavInject Process Injection, Taskhostw Wrong Parent, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Malicious Named Pipe, Process Hollowing Detection, Cobalt Strike Named Pipes, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Secure Deletion With SDelete, Erase Shell History, Microsoft Defender Antivirus Tampering Detected, Eventlog Cleared, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, Hijack Legit RDP Session To Move Laterally, DHCP Callout DLL Installation, Windows Registry Persistence COM Search Order Hijacking, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Dynamic Linker Hijacking From Environment Variable, DHCP Server Loaded the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Suspicious desktop.ini Action, Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, NjRat Registry Changes, Powershell Winlogon Helper DLL, Narrator Feedback-Hub Persistence, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Possible Malicious File Double Extension, Copy Of Legitimate System32 Executable, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Execution From Suspicious Folder, Exploit For CVE-2017-0261 Or CVE-2017-0262, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Legitimate Process Execution From Unusual Folder, Suspicious Cmd File Copy Command To Network Share, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, Suspicious Desktopimgdownldr Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, Dynwrapx Module Loading, Malspam Execution Registering Malicious DLL, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Windows Credential Editor Registry Key, LSASS Access From Non System Account, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Dumpert LSASS Process Dumper, LSASS Memory Dump, Lsass Access Through WinRM, Process Memory Dump Using Rdrleakdiag, Credential Dumping By LaZagne, Credential Dumping Tools Service Execution, LSASS Memory Dump File Creation"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious PowerShell Keywords, FromBase64String Command Line, Malicious PowerShell Keywords, In-memory PowerShell, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Turla Named Pipes, Suspicious Taskkill Command, Alternate PowerShell Hosts Pipe, PowerShell Invoke Expression With Registry, Microsoft Defender Antivirus Disabled Base64 Encoded, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, PowerShell - NTFS Alternate Data Stream, Suspicious XOR Encoded PowerShell Command Line, WMImplant Hack Tool, Exploited CVE-2020-10189 Zoho ManageEngine, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Credential Prompt, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Microsoft Defender Antivirus Threat Detected, PowerShell EncodedCommand, Suspicious PowerShell Keywords, Trickbot Malware Activity, FromBase64String Command Line, SquirrelWaffle Malspam Execution Loading DLL, Malicious PowerShell Keywords, In-memory PowerShell, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Malicious PowerShell Commandlets, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Malspam Execution Registering Malicious DLL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Elise Backdoor, Turla Named Pipes, Suspicious Taskkill Command, Alternate PowerShell Hosts Pipe, PowerShell Invoke Expression With Registry, Suspicious DLL Loaded Via Office Applications, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, PowerShell - NTFS Alternate Data Stream, Suspicious XOR Encoded PowerShell Command Line, Suspicious Scripting In A WMI Consumer, WMImplant Hack Tool, Exploited CVE-2020-10189 Zoho ManageEngine, Sysprep On AppData Folder, Exploiting SetupComplete.cmd CVE-2019-1378, Venom Multi-hop Proxy agent detection, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Mustang Panda Dropper, Lazarus Loaders, PowerShell Credential Prompt, PowerShell Downgrade Attack, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, MalwareBytes Uninstallation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Secure Deletion With SDelete, Suspicious XOR Encoded PowerShell Command Line, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smbexec.py Service Installation, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Metasploit PSExec Service Creation, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious PsExec Execution, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, SolarWinds Suspicious File Creation, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Winword wrong parent, PsExec Process, Winrshost Wrong Parent, Logonui Wrong Parent, Usage Of Sysinternals Tools, Smbexec.py Service Installation, Taskhostw Wrong Parent, Lsass Wrong Parent, Suspicious DNS Child Process, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, Metasploit PSExec Service Creation, Windows Update LolBins, Usage Of Procdump With Common Arguments, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Suspicious PsExec Execution, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Denied Access To Remote Desktop, Protected Storage Service Access, Smbexec.py Service Installation, Remote Service Activity Via SVCCTL Named Pipe, MMC Spawning Windows Shell, MMC20 Lateral Movement, Lsass Access Through WinRM, RDP Login From Localhost, RDP Port Change Using Powershell, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, User Added to Local Administrators, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Event Subscription, New DLL Added To AppCertDlls Registry Key, Suspicious Scripting In A WMI Consumer, Control Panel Items, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Chafer (APT 39) Activity, StoneDrill Service Install, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Wrong Parent, Smss Wrong Parent, New Service Creation, Winword wrong parent, Chafer (APT 39) Activity, StoneDrill Service Install, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, Logonui Wrong Parent, Taskhostw Wrong Parent, Lsass Wrong Parent, WMI Persistence Command Line Event Consumer, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Explorer Wrong Parent, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Winlogon wrong parent, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Malicious Service Installations, Wininit Wrong Parent, Csrss Child Found, Userinit Wrong Parent, Wmiprvse Wrong Parent, Searchindexer Wrong Parent, Gpscript Suspicious Parent, Taskhost or Taskhostw Suspicious Child Found, Dllhost Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Rare Logonui Child Found, Spoolsv Wrong Parent, OneNote Suspicious Children Process"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, Invoke-TheHash Commandlets, WMI DLL Loaded Via Office, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, WMImplant Hack Tool, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious DLL Loaded Via Office Applications, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, Antivirus Web Shell Detection, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, Antivirus Web Shell Detection, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Malspam Execution Registering Malicious DLL, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Suspicious New Printer Ports In Registry, OceanLotus Registry Activity, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, Disable Security Events Logging Adding Reg Key MiniNt, DNS ServerLevelPluginDll Installation, Wdigest Enable UseLogonCredential, Disable .NET ETW Through COMPlus_ETWEnabled, Remote Registry Management Using Reg Utility, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, Blue Mockingbird Malware, Suspicious Desktopimgdownldr Execution, RDP Port Change Using Powershell, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Powershell AMSI Bypass, NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Python Opening Ports, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery, Domain Trust Created Or Removed"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, PowerShell Data Compressed, Data Compressed With Rar"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, AD User Enumeration, PowerView commandlets 1, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Microsoft Office Startup Add-In, Office Application Startup Office Test"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Network Connection Via Certutil, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Desktopimgdownldr Execution, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Suspicious SAM Dump, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Suspicious Windows DNS Queries, Python HTTP Server, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Chafer (APT 39) Activity, Covenant Default HTTP Beaconing, Suspicious LDAP-Attributes Used, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 1"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Ryuk Ransomware Persistence Registry Key, Autorun Keys Modification, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Narrator Feedback-Hub Persistence"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel, Exfiltration Domain In Command Line, TUN/TAP Driver Installation"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity, NlTest Usage, AdFind Usage, Phosphorus Domain Controller Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, Suspicious Windows ANONYMOUS LOGON Local Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, Creation or Modification of a GPO Scheduled Task, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Suspicious HWP Child Process, Exploit For CVE-2015-1641, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs, Antivirus Exploitation Framework Detection, Download Files From Non-Legitimate TLDs, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection, Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Remote Task Creation Via ATSVC Named Pipe, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding, Suspicious TOR Gateway"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Services, Disable Windows Defender Credential Guard, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Exclusion Configuration, NetNTLM Downgrade Attack, Ryuk Ransomware Command Line, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Python Opening Ports, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Services, Disable Windows Defender Credential Guard, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable SecurityHealth, Raccine Uninstall, Netsh RDP Port Opening, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Malware Protection Engine Crash, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, TrustedInstaller Impersonation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Powershell AMSI Bypass, Microsoft Defender Antivirus Exclusion Configuration, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Ryuk Ransomware Command Line, Disabled IE Security Features, Windows Firewall Changes, Microsoft Defender Antivirus Tampering Detected, Suspicious Driver Loaded, MalwareBytes Uninstallation, Suspect Svchost Memory Access, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Windows Defender Deactivation Using PowerShell Script, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Replication User Backdoor, Active Directory Delegate To KRBTGT Service, User Added to Local Administrators, Add User to Privileged Group, Mimikatz Basic Commands, Active Directory User Backdoors, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Scanning and Discovery, PowerView commandlets 2"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Process Herpaderping, Smss Wrong Parent, Explorer Wrong Parent, Cobalt Strike Named Pipes, Searchindexer Wrong Parent, Dynwrapx Module Loading, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Malicious Named Pipe, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Process Hollowing Detection, CreateRemoteThread Common Process Injection, MavInject Process Injection, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: LSASS Memory Dump, Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Password Dumper Activity On LSASS, Impacket Secretsdump.py Tool, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Load Of dbghelp/dbgcore DLL From Suspicious Process, Dumpert LSASS Process Dumper, Lsass Access Through WinRM, Mimikatz Basic Commands, Credential Dumping By LaZagne, HackTools Suspicious Process Names, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, Process Trace Alteration, Process Memory Dump Using Createdump, DPAPI Domain Backup Key Extraction, LSASS Memory Dump File Creation, Active Directory Database Dump Via Ntdsutil, Transfering Files With Credential Data Via Network Shares, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag, RedMimicry Winnti Playbook Dropped File, NTDS.dit File Interaction Through Command Line, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, NetNTLM Downgrade Attack, Rubeus Tool Command-line, LSASS Access From Non System Account, Unsigned Image Loaded Into LSASS Process, DCSync Attack, Credential Dumping Tools Service Execution, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, Active Directory Replication from Non Machine Account, Malicious Service Installations, Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Suspicious desktop.ini Action, Ryuk Ransomware Persistence Registry Key, DLL Load via LSASS Registry Key, Leviathan Registry Key Activity, Kernel Module Alteration, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration, Powershell Winlogon Helper DLL, NjRat Registry Changes"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command, Network Connection Via Certutil"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, PowerView commandlets 2, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, Phosphorus Domain Controller Discovery, AdFind Usage, PowerView commandlets 1"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Detection of default Mimikatz banner, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Threat Detected, WMI DLL Loaded Via Office, Trickbot Malware Activity, QakBot Process Creation, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Mustang Panda Dropper, Microsoft Office Spawning Script, PowerShell - NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Suspicious Scripting In A WMI Consumer, Default Encoding To UTF-8 PowerShell, Elise Backdoor, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, Lazarus Loaders, Suspicious VBS Execution Parameter, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Turla Named Pipes, PowerShell Credential Prompt, Suspicious Outlook Child Process, Venom Multi-hop Proxy agent detection, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, Suspicious DLL Loaded Via Office Applications, Invoke-TheHash Commandlets, MalwareBytes Uninstallation, Koadic Execution, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, In-memory PowerShell, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Powershell Web Request, Malicious PowerShell Keywords, PowerShell Invoke Expression With Registry, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Python Opening Ports, NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Powershell AMSI Bypass, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel, Dynwrapx Module Loading"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Desktopimgdownldr Execution, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, Dynwrapx Module Loading, CMSTP Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, MavInject Process Injection, Empire Monkey Activity, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, CreateRemoteThread Common Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR High Level Rule Detection, Exploit For CVE-2015-1641, HarfangLab EDR Low Level Rule Detection, Winword Document Droppers, IcedID Execution Using Excel, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Non-Legitimate TLDs, HarfangLab EDR Critical Level Rule Detection, Suspicious Outlook Child Process, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Hlai Engine Detection, Suspicious DLL Loaded Via Office Applications, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: New Or Renamed User Account With '$' In Attribute 'SamAccountName', AutoIt3 Execution From Suspicious Folder, Execution From Suspicious Folder, Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Legitimate Process Execution From Unusual Folder, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Explorer Wrong Parent, Formbook Hijacked Process Command, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: LSASS Access From Non System Account, Windows Credential Editor Registry Key, LSASS Memory Dump, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Load Of dbghelp/dbgcore DLL From Suspicious Process, Credential Dumping Tools Service Execution, Dumpert LSASS Process Dumper, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, WMI DLL Loaded Via Office, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Webshell Creation, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Ursnif Registry Key, Suspicious Desktopimgdownldr Execution, Remote Registry Management Using Reg Utility, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, OceanLotus Registry Activity, DNS ServerLevelPluginDll Installation, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, DHCP Callout DLL Installation, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, SysKey Registry Keys Access, Suspicious Taskkill Command, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility, Adexplorer Usage"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Rubeus Register New Logon Process, Possible Replay Attack, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Smss Wrong Parent, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Smbexec.py Service Installation, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious PsExec Execution, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Winrshost Wrong Parent, Microsoft Defender Antivirus Threat Detected, Smss Wrong Parent, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Smbexec.py Service Installation, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, Suspicious PsExec Execution, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Taskhost Wrong Parent, Wininit Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Chafer (APT 39) Activity, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, APT29 Fake Google Update Service Install, Winrshost Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Cobalt Strike Default Service Creation Usage, StoneDrill Service Install, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Chafer (APT 39) Activity, Svchost Wrong Parent, Gpscript Suspicious Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, WMI Persistence Command Line Event Consumer, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Wininit Wrong Parent, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Malicious Service Installations, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Remote Task Creation Via ATSVC Named Pipe, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, DNS Tunnel Technique From MuddyWater, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Mustang Panda Dropper, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Detection of default Mimikatz banner, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Suspicious PowerShell Invocations - Generic, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, PowerShell Downgrade Attack, Default Encoding To UTF-8 PowerShell, FromBase64String Command Line, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious XOR Encoded PowerShell Command Line, Turla Named Pipes, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Credential Prompt, PowerShell EncodedCommand, Invoke-TheHash Commandlets, WMImplant Hack Tool, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Keywords, Bloodhound and Sharphound Tools Usage, In-memory PowerShell, Powershell Web Request, Malicious PowerShell Keywords, PowerShell Invoke Expression With Registry, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DNS ServerLevelPluginDll Installation, Werfault DLL Injection, DHCP Callout DLL Installation, Suspicious DLL side loading from ProgramData, DHCP Server Loaded the CallOut DLL, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Admin Share Access, Protected Storage Service Access, Lsass Access Through WinRM, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, MMC20 Lateral Movement, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMI DLL Loaded Via Office, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, Invoke-TheHash Commandlets, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Suspicious SAM Dump, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory, Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Cred Dump Tools Dropped Files, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Event Subscription, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, Control Panel Items, WMI Persistence Script Event Consumer File Write, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, WMI Event Subscription, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Malspam Execution Registering Malicious DLL, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified, Domain Trust Created Or Removed, GPO Executable Delivery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, Remote Privileged Group Enumeration, PowerView commandlets 1"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, Network Share Discovery, PowerView commandlets 2"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All, AD Object WriteDAC Access"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Admin Share Access, Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Potential RDP Connection To Non-Domain Host, Abusing Azure Browser SSO, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Antivirus Password Dumper Detection, Download Files From Suspicious TLDs, Antivirus Exploitation Framework Detection, Audit CVE Event, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, RDP Login From Localhost, RDP Port Change Using Powershell"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, User Added to Local Administrators, Denied Access To Remote Desktop, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, TUN/TAP Driver Installation, Exfiltration Domain In Command Line, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Narrator Feedback-Hub Persistence, Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Registry Key Used By Some Old Agent Tesla Samples, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event, CVE-2019-0708 Scan"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious TOR Gateway, Suspicious Hostname"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, GitLab CVE-2021-22205, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious XOR Encoded PowerShell Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json index 559a30bf4b..5dec0f77ca 100644 --- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json index 8f9d829538..4c180abfad 100644 --- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json index fddb6162f5..6590e82db4 100644 --- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious Driver Loaded, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Disable .NET ETW Through COMPlus_ETWEnabled, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: IcedID Execution Using Excel, MOFComp Execution, Explorer Process Executing HTA File, Control Panel Items, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal, Mshta JavaScript Execution, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Regsvr32 Execution, Empire Monkey Activity, Suspicious Rundll32.exe Execution, CertOC Loading Dll, CMSTP Execution, Equation Group DLL_U Load, Suspicious Mshta Execution, xWizard Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, PowerShell Download From URL, Suspicious Outlook Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, QakBot Process Creation, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Mshta Suspicious Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, Microsoft Office Spawning Script, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, PsExec Process, Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, Suspicious DNS Child Process, Winword wrong parent, Suspicious Commands From MS SQL Server Shell, PsExec Process, Usage Of Sysinternals Tools, Windows Update LolBins, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, WMI Install Of Binary, XSL Script Processing And SquiblyTwo Attack, Suspicious Mshta Execution From Wmi, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call, Impacket Wmiexec Module"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Suspicious Parent"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Sensitive Settings Changed, Blue Mockingbird Malware, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Winword Document Droppers"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Outlook Child Process, Winword Document Droppers"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disable .NET ETW Through COMPlus_ETWEnabled, Disabled IE Security Features, Windows Firewall Changes, Suspicious Driver Loaded, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Kernel Module Alteration, Leviathan Registry Key Activity"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, PowerShell EncodedCommand, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Windows Update LolBins"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process, New Service Creation, Explorer Wrong Parent, Winword wrong parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json index ea146b4be9..9c91e1c480 100644 --- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason MalOp", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Cybereason EDR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Cybereason EDR Alert"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason MalOp", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Cybereason EDR Alert"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Cybereason EDR Alert, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json index 2d8c35de23..f686ba67bd 100644 --- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json index eb854509c1..1da576113b 100644 --- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json index a484370e1a..027d107838 100644 --- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Jumpcloud Directory Insights [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Jumpcloud Directory Insights [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.json index c71e3d4a54..25bb819925 100644 --- a/_shared_content/operations_center/detection/generated/attack_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a406a8c1-e1e0-4fe9-835b-3607d01150e6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netwrix Auditor", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netwrix Auditor", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json index f02dca38a4..c223a93fe4 100644 --- a/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ab25af2e-4916-40ba-955c-34d2301c1f51_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Covenant Default HTTP Beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x NGINX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Covenant Default HTTP Beaconing, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json index 01bf8382a4..179b75da1c 100644 --- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json index f15faa04aa..1e9675ac4a 100644 --- a/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_b23668b2-5716-4432-9af7-bc4f81ad6df3_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x NetFlow", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x NetFlow", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json index f09542a1e7..9f3e2e7df6 100644 --- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Package Manager Alteration, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allowed Python Program, Netsh Port Forwarding, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Control Process, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, Mshta JavaScript Execution, CertOC Loading Dll, AccCheckConsole Executing Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json index 39f1c3a329..a5838a642c 100644 --- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json index a7f024e372..3809c8349c 100644 --- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json index 144aeb547c..af7936bdbc 100644 --- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json index 6a4feebbad..cf9d82b569 100644 --- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json index ed8a9fb2cc..50317200e1 100644 --- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Backup Catalog Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected, Sysmon Windows File Block Executable"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Sysmon Windows File Block Executable"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json index 0eb1851644..5160dc32dd 100644 --- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json index 741c4f2d0f..a49b731dda 100644 --- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) AtpDetection, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Repeated Delete"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Microsoft 365 Device Code Authentication, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Possible Malicious File Double Extension, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS New Country, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Filter Policy Removed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Filter Policy Removed"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json index 8a55e1a2c3..c0fe7c9bce 100644 --- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OGO WAF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OGO WAF [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json index 2c06efd6ec..5771441e49 100644 --- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json index af3aaf727e..8ee0201fe1 100644 --- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Salesforce Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default GET beaconing, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Salesforce Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json index 6aa17f8ac3..bdd8b6674c 100644 --- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Password Policy Updated"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Remove Flow logs, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail GuardDuty Detector Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Important Change, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Important Change, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Detector Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Route 53 Domain Transfer Attempt"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json index e609a22b9e..f83bc9bb93 100644 --- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json index dbd88ccfd5..b3c9987323 100644 --- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json index f38dde7767..75a6544743 100644 --- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json index a11797e34c..005f4b90a1 100644 --- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netskope events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netskope events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json index 0ff897ddc1..10b307973d 100644 --- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ProofPoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ProofPoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json index d543f2025c..b43b44f345 100644 --- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Scam Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spearphishing (W2 Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Spam Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json index aee4ebc1c9..dba19723f0 100644 --- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Okta System logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application deleted, Okta User Impersonation Access, Okta Admin Privilege Granted, Okta Application modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Blacklist Manipulations, Okta MFA Disabled, Okta Network Zone Modified, Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Security Threat Configuration Updated"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Okta System logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deleted, Okta Network Zone Modified, Okta Network Zone Deactivated"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta MFA Disabled, Okta Network Zone Deleted, Okta Security Threat Configuration Updated, Okta Blacklist Manipulations"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Impersonation Access, Okta Application modified, Okta Admin Privilege Granted, Okta Application deleted, Okta User Account Deactivated"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json index cb243cfb4d..45fbab6155 100644 --- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Socat Relaying Socket, Socat Reverse Shell Detection, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Python Offensive Tools and Packages, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Powershell Web Request, Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File, Suspicious PowerShell Invocations - Specific, Elise Backdoor, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Interactive Terminal Spawned via Python, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Sysprep On AppData Folder, Venom Multi-hop Proxy agent detection, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, PowerShell Downgrade Attack, MalwareBytes Uninstallation, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious Windows Script Execution, PowerShell Download From URL"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Listing Systemd Environment, System Info Discovery, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Rubeus Tool Command-line, Cmdkey Cached Credentials Recon, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Process Trace Alteration, Process Memory Dump Using Comsvcs, NTDS.dit File In Suspicious Directory, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Netsh Port Forwarding, SELinux Disabling, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Fail2ban Unban IP, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Clear EventLogs Through CommandLine, Netsh Port Opening, Windows Firewall Changes, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Disabled Base64 Encoded, NetSh Used To Disable Windows Firewall, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Disabled Service, Netsh Allowed Python Program, Netsh Port Forwarding, SELinux Disabling, MalwareBytes Uninstallation, Raccine Uninstall, Netsh RDP Port Forwarding, Netsh Allow Command"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Reverse Shell Detection, Socat Relaying Socket, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, High Privileges Network Share Removal, Erase Shell History, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Taskkill Command, Suspicious Control Process, CMSTP Execution, Equation Group DLL_U Load, Explorer Process Executing HTA File, Suspicious Mshta Execution, Suspicious Windows Installer Execution, MavInject Process Injection, PowerShell Execution Via Rundll32, Control Panel Items, Empire Monkey Activity, xWizard Execution, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, CertOC Loading Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Persistence Script Event Consumer File Write, Change Default File Association, Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack, WMI Install Of Binary, Blue Mockingbird Malware, Wmic Process Call Creation, Wmic Service Call"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious Windows Script Execution, Koadic Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Phorpiex DriveMgr Command, WMIC Uninstall Product, Koadic Execution, Lazarus Loaders, MalwareBytes Uninstallation, Elise Backdoor"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Opening, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh Port Forwarding"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Finger Usage, Rclone Process, Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, Rclone Process"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, NlTest Usage, AdFind Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data, Copying Browser Files With Credentials"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}]} \ No newline at end of file +{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Disabled IE Security Features, MalwareBytes Uninstallation, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, SELinux Disabling, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Disabled IE Security Features, Windows Firewall Changes, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Disabled Service, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Phorpiex DriveMgr Command, Suspicious Taskkill Command, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Socat Reverse Shell Detection, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, PowerShell EncodedCommand, Python Offensive Tools and Packages, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Ngrok Process Execution"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Process Memory Dump Using Comsvcs, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, WMIC Uninstall Product"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Taskkill Command, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Control Process, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Windows Installer Execution, MavInject Process Injection, Mshta JavaScript Execution, CertOC Loading Dll, AccCheckConsole Executing Dll"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Domain Trust Discovery Through LDAP, AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, OneNote Embedded File"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json index d996a1c3c6..9895c646b0 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Firewall [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Firewall [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Network Sniffing"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json index ef69342730..a5f28cad79 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json index fa0c2d3b42..d50544cd0a 100644 --- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2018-11776 Apache Struts2, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-26855 Exchange SSRF, CVE-2021-21985 VMware vCenter, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2019-0604 SharePoint, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json index 4fbe7897a4..8b19df21b6 100644 --- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2018-13379 Fortinet Exploit, CVE-2019-0604 SharePoint, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2018-11776 Apache Struts2, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-14882 Oracle WebLogic Server, GitLab CVE-2021-22205, CVE-2021-26855 Exchange SSRF"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, LokiBot Default C2 URL"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-1147 SharePoint, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2018-13379 Fortinet Exploit, CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, GitLab CVE-2021-22205, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-21985 VMware vCenter, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, LokiBot Default C2 URL"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json new file mode 100644 index 0000000000..b4afa620b2 --- /dev/null +++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json @@ -0,0 +1 @@ +{"name": "SEKOIA.IO x StormShield Endpoint Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, Listing Systemd Environment, List Shadow Copies"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Package Manager Alteration, Disabled IE Security Features, Suspicious Driver Loaded, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Raccine Uninstall, Netsh RDP Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Disabled Base64 Encoded, Disable Task Manager Through Registry Key, Netsh Port Forwarding, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell AMSI Deactivation Bypass Using .NET Reflection, ETW Tampering, Package Manager Alteration, Disabled IE Security Features, Windows Firewall Changes, Suspicious Driver Loaded, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Fail2ban Unban IP, Microsoft Defender Antivirus Disable Scheduled Tasks, Address Space Layout Randomization (ASLR) Alteration, WMIC Uninstall Product, Netsh Port Opening"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing Windows, Capture a network trace with netsh.exe, Network Sniffing, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Svchost Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhost Wrong Parent, Smss Wrong Parent, Explorer Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Wsmprovhost Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Process Trace Alteration, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File Interaction Through Command Line, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Cmdkey Cached Credentials Recon, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Rclone Process, Suspicious certutil command"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage, Trickbot Malware Activity, AdFind Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Taskkill Command, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Trickbot Malware Activity, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, PowerShell Downgrade Attack, XSL Script Processing And SquiblyTwo Attack, Default Encoding To UTF-8 PowerShell, Elise Backdoor, Suspicious PrinterPorts Creation (CVE-2020-1048), Lazarus Loaders, Suspicious VBS Execution Parameter, Suspicious Outlook Child Process, Exploiting SetupComplete.cmd CVE-2019-1378, PowerShell EncodedCommand, MalwareBytes Uninstallation, Koadic Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Cmd.exe Command Line, Bloodhound and Sharphound Tools Usage, Powershell Web Request, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Winword Document Droppers, IcedID Execution Using Excel, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, IcedID Execution Using Excel, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Possible Malicious File Double Extension, Explorer Wrong Parent, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, QakBot Process Creation, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Logonui Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Logonui Wrong Parent, Smss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Suspicious DNS Child Process, Searchprotocolhost Child Found, Windows Update LolBins, Userinit Wrong Parent, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Rare Logonui Child Found, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Logonui Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Logonui Wrong Parent, New Service Creation, Smss Wrong Parent, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Winlogon wrong parent, Searchprotocolhost Child Found, Userinit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchindexer Wrong Parent, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Csrss Wrong Parent, Svchost Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, Searchprotocolhost Wrong Parent, Winword wrong parent, Rare Logonui Child Found, Taskhost Wrong Parent, Wsmprovhost Wrong Parent, Lsass Wrong Parent, Csrss Child Found, Dllhost Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Koadic Execution, Suspicious Taskkill Command, Elise Backdoor, Lazarus Loaders, Suspicious Cmd.exe Command Line, WMIC Uninstall Product, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Download From URL, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Mshta Suspicious Child Process, DNS Exfiltration and Tunneling Tools Execution, Powershell Web Request, PowerShell EncodedCommand, PowerShell Downgrade Attack, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Regsvr32 Execution, MOFComp Execution, Suspicious Mshta Execution, xWizard Execution, CMSTP Execution, Equation Group DLL_U Load, Suspicious Windows Installer Execution, AccCheckConsole Executing Dll, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Empire Monkey Activity, MavInject Process Injection, CertOC Loading Dll, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Sticky Key Like Backdoor Usage, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Suspicious Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Opening Of a Password File, Outlook Registry Access, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Outlook Child Process, Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Port Forwarding, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh Allow Command, Netsh RDP Port Opening, Windows Firewall Changes, Netsh Port Opening, Netsh Allowed Python Program"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Exchange Mailbox Export, Outlook Registry Access"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Download Files From Suspicious TLDs, Suspicious HWP Child Process"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md index 07b11f679e..3abeaf69ce 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md @@ -1,87 +1,87 @@ -Changelog _last update on 2023-09-05_ +Changelog _last update on 2023-09-15_ ## Changelog -### Searchindexer Wrong Parent +### Searchprotocolhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Taskhost Wrong Parent +### Svchost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Opening Of a Password File +### Taskhostw Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Csrss Wrong Parent +### Logonui Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Smss Wrong Parent +### Winrshost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Winword wrong parent +### Winlogon wrong parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Spoolsv Wrong Parent +### Searchindexer Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation ### Explorer Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Userinit Wrong Parent +### Taskhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Lsass Wrong Parent +### Userinit Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Wmiprvse Wrong Parent +### Wininit Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Wininit Wrong Parent +### Spoolsv Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Dllhost Wrong Parent +### Smss Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Logonui Wrong Parent +### Opening Of a Password File - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Winrshost Wrong Parent +### Dllhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Wsmprovhost Wrong Parent +### Wmiprvse Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Gpscript Suspicious Parent +### Lsass Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Winlogon wrong parent +### Winword wrong parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Taskhostw Wrong Parent +### Gpscript Suspicious Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Searchprotocolhost Wrong Parent +### Wsmprovhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Svchost Wrong Parent +### Csrss Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation ### Windows Registry Persistence COM Search Order Hijacking - 16/08/2023 - minor - Adding filtering for some FPs -### MS Office Product Spawning Exe in User Dir - - 10/08/2023 - minor - Rule modified and filter added to reduce false positives. - ### Suspicious Network Args In Command Line - 10/08/2023 - major - Added a list of suspicious processes to drastically reduce false positives. -### Okta User Logged In Multiple Applications - - 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps +### MS Office Product Spawning Exe in User Dir + - 10/08/2023 - minor - Rule modified and filter added to reduce false positives. + +### Microsoft Defender Antivirus Exclusion Configuration + - 07/08/2023 - major - Considering the amount of false positives the rule effort has been changed to master. Furthermore a filter has been added. ### Microsoft Defender Antivirus Tampering Detected - 07/08/2023 - minor - Rule effort changed from intermediate to advanced considering the number of false positives observed. -### Microsoft Defender Antivirus Exclusion Configuration - - 07/08/2023 - major - Considering the amount of false positives the rule effort has been changed to master. Furthermore a filter has been added. +### Okta User Logged In Multiple Applications + - 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps ### Potential LokiBot User-Agent - 04/08/2023 - minor - Added a condition to only match on internal IP as source @@ -89,12 +89,12 @@ Changelog _last update on 2023-09-05_ ### Suspicious Windows DNS Queries - 02/08/2023 - minor - Added a new field and filters to reduce false positives. -### Wmic Process Call Creation - - 01/08/2023 - major - Rewritten as a regex to reduce false positives - ### Account Tampering - Suspicious Failed Logon Reasons - 01/08/2023 - minor - Similarity strategy for the rule has changed and is now based on the user.target.name field. +### Wmic Process Call Creation + - 01/08/2023 - major - Rewritten as a regex to reduce false positives + ### Potential DNS Tunnel - 19/07/2023 - major - New regex pattern and new filters. @@ -116,10 +116,10 @@ Changelog _last update on 2023-09-05_ ### Msdt (Follina) File Browse Process Execution - 19/06/2023 - minor - Added filter to the rule to reduce false positives. -### Socat Relaying Socket +### Socat Reverse Shell Detection - 14/06/2023 - minor - Added filter to the rule to reduce false positives. -### Socat Reverse Shell Detection +### Socat Relaying Socket - 14/06/2023 - minor - Added filter to the rule to reduce false positives. ### SolarWinds Wrong Child Process @@ -134,10 +134,10 @@ Changelog _last update on 2023-09-05_ ### PowerShell Download From URL - 26/05/2023 - minor - Added a filter to the rule as many false positives were observed. -### WMImplant Hack Tool +### Suspicious PowerShell Invocations - Specific - 26/05/2023 - minor - Added a filter to the rule as many false positives were observed. -### Suspicious PowerShell Invocations - Specific +### WMImplant Hack Tool - 26/05/2023 - minor - Added a filter to the rule as many false positives were observed. ### Internet Scanner Target @@ -146,37 +146,37 @@ Changelog _last update on 2023-09-05_ ### Internet Scanner - 28/04/2023 - minor - Support for standard ECS FW fields -### Audio Capture via PowerShell - - 18/04/2023 - minor - Use more specific patterns to fix false positives. - ### Remote Privileged Group Enumeration - 18/04/2023 - minor - Exclude events from the Local System session that cause false positives. +### Audio Capture via PowerShell + - 18/04/2023 - minor - Use more specific patterns to fix false positives. + ### Active Directory User Backdoors - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule. -### Mimikatz Basic Commands - - 06/04/2023 - minor - Added a filter to the rule as many false positives were observed. - ### LSASS Memory Dump - 06/04/2023 - minor - Rule effort has been upgraded to master considering the number of different false positives the rule can trigger. +### Mimikatz Basic Commands + - 06/04/2023 - minor - Added a filter to the rule as many false positives were observed. + ### Suspicious PowerShell Invocations - Generic - 28/03/2023 - minor - Excluded some commonly observed false positives. ### Adexplorer Usage - 27/03/2023 - minor - Modify pattern to avoid false positive and detect usage of either / or - character for snapshot parameter -### SentinelOne EDR User Logged In To The Management Console - - 24/03/2023 - minor - Adjusting displayed columns when the rule triggers an alert. Now timestamp and username will be displayed. - ### Windows Update LolBins - 24/03/2023 - minor - The legitimate DLL UpdateDeploymentProvider.dll is now excluded from the rule as it triggered several false positives. +### SentinelOne EDR User Logged In To The Management Console + - 24/03/2023 - minor - Adjusting displayed columns when the rule triggers an alert. Now timestamp and username will be displayed. + ### Login Brute-Force Successful On AzureAD From Single IP Address - 23/03/2023 - minor - The error code 50076 has been excluded as it is not a specific error code related to a login failure that we want to detect and caused several false positives. -### LNK Malware Chain +### ISO-LNK Malware Chain - 13/03/2023 - minor - Extended the list of suspicious process names being spawned from explorer.exe ### Suspicious certutil command diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md index 205433cd42..971b65d368 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md @@ -1,4 +1,4 @@ -Rules catalog includes **745 built-in detection rules** ([_last update on 2023-09-05_](rules_changelog.md)). +Rules catalog includes **748 built-in detection rules** ([_last update on 2023-09-15_](rules_changelog.md)). ## Reconnaissance **Gather Victim Network Information** @@ -1195,6 +1195,12 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 - **Effort:** advanced +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Bloodhound and Sharphound Tools Usage" Detects default process names and default command line parameters used by Bloodhound and Sharphound tools. @@ -2037,6 +2043,12 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 - **Effort:** intermediate +??? abstract "HTA Infection Chains" + + Detect the creation of a ZIP and HTA file as it is often used in infection chains. Furthermore it also detects the use of suspicious processes launched by explorer.exe combined with the creation of an HTA file, since it is also often used in infection chains (LNK - HTA for instance). + + - **Effort:** intermediate + ??? abstract "HarfangLab EDR Critical Level Rule Detection" HarfangLab EDR has raised an alert based on a critical level rule (not using hlai engine) @@ -2079,13 +2091,7 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 - **Effort:** master -??? abstract "IcedID Execution Using Excel" - - Detects Excel spawning a process (rundll32 or wmic) running suspicious command-line. This behaviour could correspond to IcedID activity. - - - **Effort:** elementary - -??? abstract "LNK Malware Chain" +??? abstract "ISO-LNK Malware Chain" Detection of an ISO download followed by a child-process of explorer, which is characteristic of an infection using an ISO containing an LNK file. For events with `host.name`. @@ -2095,6 +2101,12 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 - 13/03/2023 - minor - Extended the list of suspicious process names being spawned from explorer.exe +??? abstract "IcedID Execution Using Excel" + + Detects Excel spawning a process (rundll32 or wmic) running suspicious command-line. This behaviour could correspond to IcedID activity. + + - **Effort:** elementary + ??? abstract "Login Brute-Force Successful On SentinelOne EDR Management Console" A user has attempted to login several times (brute-force) on the SentinelOne EDR Management Console and succeeded to login. @@ -5289,6 +5301,12 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 **Masquerading** +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Copy Of Legitimate System32 Executable" A script has copied a System32 executable. @@ -7438,6 +7456,12 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 **Multi-Factor Authentication Interception** +??? abstract "Microsoft 365 Sign-in With No User Agent" + + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + + - **Effort:** elementary + ??? abstract "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses" Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2. @@ -7557,6 +7581,12 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 **Adversary-in-the-Middle** +??? abstract "Microsoft 365 Sign-in With No User Agent" + + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + + - **Effort:** elementary + ??? abstract "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses" Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2. @@ -8198,6 +8228,12 @@ Rules catalog includes **745 built-in detection rules** ([_last update on 2023-0 **Adversary-in-the-Middle** +??? abstract "Microsoft 365 Sign-in With No User Agent" + + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + + - **Effort:** elementary + ??? abstract "Multiple Authentication On Microsoft 365 (Office 365) Portal From Two IP Addresses" Detection of login events from two IP addresses within 3mn, as it could happen if someone got phished with a tool like Evilginx2. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md index 9534b3aed4..a8e2b7ec5c 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.md @@ -45,6 +45,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **WithSecure Elements [BETA]** - **Effort:** intermediate +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "BITSAdmin Download" Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md index 8cd10431fd..9306db8600 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.md @@ -1,8 +1,8 @@ ## Related Built-in Rules -Benefit from SEKOIA.IO built-in rules and upgrade **Google Drive Reports** with the following detection capabilities out-of-the-box. +Benefit from SEKOIA.IO built-in rules and upgrade **Google Report** with the following detection capabilities out-of-the-box. -[SEKOIA.IO x Google Drive Reports on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json){ .md-button } +[SEKOIA.IO x Google Report on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json){ .md-button } ??? abstract "RTLO Character" Detects RTLO (Right-To-Left character) in file and process names. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md new file mode 100644 index 0000000000..296f1a70c3 --- /dev/null +++ b/_shared_content/operations_center/detection/generated/suggested_rules_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.md @@ -0,0 +1,1090 @@ +## Related Built-in Rules + +Benefit from SEKOIA.IO built-in rules and upgrade **Trend Micro Apex One [BETA]** with the following detection capabilities out-of-the-box. + +[SEKOIA.IO x Trend Micro Apex One [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json){ .md-button } +??? abstract "AccCheckConsole Executing Dll" + + Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL. + + - **Effort:** advanced + +??? abstract "AdFind Usage" + + Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects + + - **Effort:** elementary + +??? abstract "Add User to Privileged Group" + + Add user in a potential privileged group which can be used to elevate privileges on the system + + - **Effort:** advanced + +??? abstract "Address Space Layout Randomization (ASLR) Alteration" + + ASLR is a security feature used by the Operating System to mitigate memory exploit, attacker might want to disable it + + - **Effort:** intermediate + +??? abstract "Adexplorer Usage" + + Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database. + + - **Effort:** advanced + +??? abstract "Advanced IP Scanner" + + Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. + + - **Effort:** master + +??? abstract "Audio Capture via PowerShell" + + Detects audio capture via PowerShell Cmdlet + + - **Effort:** intermediate + +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + +??? abstract "BITSAdmin Download" + + Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. + + - **Effort:** advanced + +??? abstract "BazarLoader Persistence Using Schtasks" + + Detects possible BazarLoader persistence using schtasks. BazarLoader will create a Scheduled Task using a specific command line to establish its persistence. + + - **Effort:** intermediate + +??? abstract "Bloodhound and Sharphound Tools Usage" + + Detects default process names and default command line parameters used by Bloodhound and Sharphound tools. + + - **Effort:** intermediate + +??? abstract "Blue Mockingbird Malware" + + Attempts to detect system changes made by Blue Mockingbird + + - **Effort:** elementary + +??? abstract "Burp Suite Tool Detected" + + Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner) + + - **Effort:** intermediate + +??? abstract "CMSTP Execution" + + Detects various indicators of Microsoft Connection Manager Profile Installer execution + + - **Effort:** intermediate + +??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit" + + Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA. + + - **Effort:** elementary + +??? abstract "CVE-2020-17530 Apache Struts RCE" + + Detects the exploitation of the Apache Struts vulnerability (CVE-2020-17530). + + - **Effort:** intermediate + +??? abstract "CVE-2021-20021 SonicWall Unauthenticated Administrator Access" + + Detects the exploitation of SonicWall Unauthenticated Admin Access. + + - **Effort:** advanced + +??? abstract "CVE-2021-20023 SonicWall Arbitrary File Read" + + Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data. + + - **Effort:** advanced + +??? abstract "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability" + + Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product. + + - **Effort:** intermediate + +??? abstract "CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv" + + Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11. + + - **Effort:** master + +??? abstract "Capture a network trace with netsh.exe" + + Detects capture a network trace via netsh.exe trace functionality + + - **Effort:** intermediate + +??? abstract "CertOC Loading Dll" + + Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. + + - **Effort:** intermediate + +??? abstract "Certificate Authority Modification" + + Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations. + + - **Effort:** master + +??? abstract "Change Default File Association" + + When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. + + - **Effort:** advanced + +??? abstract "Clear EventLogs Through CommandLine" + + Detects a command that clears event logs which could indicate an attempt from an attacker to erase its previous traces. + + - **Effort:** intermediate + +??? abstract "Cmdkey Cached Credentials Recon" + + Detects usage of cmdkey to look for cached credentials. + + - **Effort:** intermediate + +??? abstract "Cobalt Strike Default Beacons Names" + + Detects the default names of Cobalt Strike beacons / payloads. + + - **Effort:** elementary + +??? abstract "Commonly Used Commands To Stop Services And Remove Backups" + + Detects specific commands used regularly by ransomwares to stop services or remove backups + + - **Effort:** intermediate + +??? abstract "Control Panel Items" + + Detects the malicious use of a control panel item + + - **Effort:** advanced + +??? abstract "Copying Browser Files With Credentials" + + Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files. + + - **Effort:** elementary + +??? abstract "Copying Sensitive Files With Credential Data" + + Detects copy of files with well-known filenames (sensitive files with credential data) using esentutl. This requires Windows Security event log with the Detailed File Share logging policy enabled. + + - **Effort:** elementary + +??? abstract "Cron Files Alteration" + + Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation. + + - **Effort:** advanced + +??? abstract "DNS Exfiltration and Tunneling Tools Execution" + + Well-known DNS exfiltration tools execution + + - **Effort:** intermediate + +??? abstract "Data Compressed With Rar" + + An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. + + - **Effort:** master + +??? abstract "Data Compressed With Rar With Password" + + An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. This is a more specific one for rar where the arguments allow to encrypt both file data and headers with a given password. + + - **Effort:** intermediate + +??? abstract "Debugging Software Deactivation" + + Deactivation of some debugging softwares using taskkill command. It was observed being used by Ransomware operators. + + - **Effort:** elementary + +??? abstract "Default Encoding To UTF-8 PowerShell" + + Detects PowerShell encoding to UTF-8, which is used by Sliver implants. The command line just sets the default encoding to UTF-8 in PowerShell. + + - **Effort:** advanced + +??? abstract "Detect requests to Konni C2 servers" + + This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September. + + - **Effort:** elementary + +??? abstract "Disable Task Manager Through Registry Key" + + Detects commands used to disable the Windows Task Manager by modifying the proper registry key in order to impair security tools. This technique is used by the Agent Tesla RAT, among others. + + - **Effort:** elementary + +??? abstract "Disabled IE Security Features" + + Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. This has been used by attackers during Operation Ke3chang. + + - **Effort:** advanced + +??? abstract "Domain Group And Permission Enumeration" + + Detects adversaries attempts to find domain-level groups and permission settings. Commands such as net group /domain of the Net utility can list domain-level groups The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Wizard Spider, FIN6, and other groups used net in their campaigns. + + - **Effort:** advanced + +??? abstract "Domain Trust Discovery Through LDAP" + + Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. "trustedDomain" which is detected here is a Microsoft Active Directory ObjectClass Type that represents a domain that is trusted by, or trusting, the local AD DOMAIN. Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc.) + + - **Effort:** elementary + +??? abstract "Download Files From Suspicious TLDs" + + Detects download of certain file types from hosts in suspicious TLDs + + - **Effort:** master + +??? abstract "Dynamic Linker Hijacking From Environment Variable" + + LD_PRELOAD and LD_LIBRARY_PATH are environment variables used by the Operating System at the runtime to load shared objects (library.ies) when executing a new process, attacker can overwrite this variable to attempts a privileges escalation. + + - **Effort:** advanced + +??? abstract "ETW Tampering" + + Detects a command that clears or disables any ETW Trace log which could indicate a logging evasion + + - **Effort:** intermediate + +??? abstract "Elise Backdoor" + + Detects Elise backdoor activity as used by Lotus Blossom + + - **Effort:** elementary + +??? abstract "Empire Monkey Activity" + + Detects EmpireMonkey APT reported Activity + + - **Effort:** elementary + +??? abstract "Equation Group DLL_U Load" + + Detects a specific tool and export used by EquationGroup + + - **Effort:** elementary + +??? abstract "Erase Shell History" + + Malware and attacker try to reduce their fingerprints on compromised host by deleting shell history + + - **Effort:** advanced + +??? abstract "Exchange Mailbox Export" + + Detection of a standard Exchange Mailbox export, which stores all mails from a user in a pst file. + + - **Effort:** intermediate + +??? abstract "Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data" + + Detects PowerShell SnapIn command line, often used with Get-Mailbox to export Exchange mailbox data. + + - **Effort:** intermediate + +??? abstract "Exchange Server Creating Unusual Files" + + Look for Microsoft Exchange Server’s Unified Messaging service creating non-standard content on disk, which could indicate web shells or other malicious content, suggesting exploitation of CVE-2021-26858 vulnerability + + - **Effort:** intermediate + +??? abstract "Exfiltration And Tunneling Tools Execution" + + Execution of well known tools for data exfiltration and tunneling + + - **Effort:** advanced + +??? abstract "Exfiltration Domain In Command Line" + + Detects commands containing a domain linked to http exfiltration. + + - **Effort:** intermediate + +??? abstract "Explorer Process Executing HTA File" + + Detects a suspicious execution of an HTA file by the explorer.exe process. This unusual activity was observed when running IcedID malspam. + + - **Effort:** intermediate + +??? abstract "Fail2ban Unban IP" + + An IP was ubaned by Fail2ban. It could be use to allow malicous traffic. + + - **Effort:** advanced + +??? abstract "Formbook File Creation DB1" + + Detects specific file creation (Users\*\AppData\Local\Temp\DB1) to store data to exfiltrate (Formbook behavior). Logging for Sysmon event 11 is usually used for this detection. + + - **Effort:** intermediate + +??? abstract "Grabbing Sensitive Hives Via Reg Utility" + + Detects dump of SAM, System or Security hives using reg.exe utility. Adversaries may attempt to dump these Windows Registry to retrieve password hashes and access credentials. + + - **Effort:** intermediate + +??? abstract "HackTools Suspicious Process Names In Command Line" + + Detects the default process name of several HackTools and also check in command line. This rule is here for quickwins as it obviously has many blind spots. + + - **Effort:** intermediate + +??? abstract "Hiding Files With Attrib.exe" + + Detects usage of attrib.exe to hide files from users. + + - **Effort:** advanced + +??? abstract "High Privileges Network Share Removal" + + Detects high privileges shares being deleted with the net share command. + + - **Effort:** intermediate + +??? abstract "Hijack Legit RDP Session To Move Laterally" + + Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. + + - **Effort:** intermediate + +??? abstract "ICacls Granting Access To All" + + Detects suspicious icacls command granting access to all, used by the ransomware Ryuk to delete every access-based restrictions on files and directories. ICacls is a built-in Windows command to interact with the Discretionary Access Control Lists (DACLs) which can grand adversaries higher permissions on specific files and folders. + + - **Effort:** elementary + +??? abstract "IIS Module Installation Using AppCmd" + + Detects the installation of a new IIS module from the command line. It can used used to backdoor an IIS/OWA/Sharepoint server. + + - **Effort:** intermediate + +??? abstract "Inhibit System Recovery Deleting Backups" + + Detects adversaries attempts to delete backups or inhibit system recovery. This rule relies on differents known techniques using Windows events logs from Sysmon (ID 1), and PowerShell (ID 4103, 4104). + + - **Effort:** intermediate + +??? abstract "KeePass Config XML In Command-Line" + + Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence. + + - **Effort:** intermediate + +??? abstract "Kernel Module Alteration" + + Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. + + - **Effort:** advanced + +??? abstract "Koadic Execution" + + Detects command line parameters used by Koadic hack tool + + - **Effort:** intermediate + +??? abstract "Koadic MSHTML Command" + + Detects Koadic payload using MSHTML module + + - **Effort:** intermediate + +??? abstract "Lazarus Loaders" + + Detects different loaders used by the Lazarus Group APT + + - **Effort:** elementary + +??? abstract "List Shadow Copies" + + Detects command line used to list shadow copies. An adversary may attempt to get information on shadow volumes to perform deletion or extract password hashes from the ntds.dit file. This rule requires command line logging or Windows PowerShell events (4104). + + - **Effort:** master + +??? abstract "Listing Systemd Environment" + + Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host. + + - **Effort:** elementary + +??? abstract "MSBuild Abuse" + + Detection of MSBuild uses by attackers to infect an host. Focuses on XML compilation which is a Metasploit payload, and on connections made by this process which is unusual. + + - **Effort:** intermediate + +??? abstract "Malicious Browser Extensions" + + Detects browser extensions being loaded with the --load-extension and -base-url options, which works on Chromium-based browsers. We are looking for potentially malicious browser extensions. These extensions can get access to informations. + + - **Effort:** advanced + +??? abstract "MalwareBytes Uninstallation" + + Detects command line being used by attackers to uninstall Malwarebytes. + + - **Effort:** intermediate + +??? abstract "MavInject Process Injection" + + Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS) + + - **Effort:** intermediate + +??? abstract "Meterpreter or Cobalt Strike Getsystem Service Installation" + + Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting some of the techniques being used (technique 1,2 and 5). + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus Disable Scheduled Tasks" + + The rule detects attempts to deactivate/disable Windows Defender scheduled tasks via command line + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Disable Using Registry" + + The rule detects attempts to deactivate/disable Microsoft Defender Antivirus using registry modification via command line. + + - **Effort:** master + +??? abstract "Microsoft Defender Antivirus Disabled Base64 Encoded" + + Detects attempts to deactivate/disable Windows Defender through base64 encoded PowerShell command line. + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus History Directory Deleted" + + Windows Defender history directory has been deleted. Could be an attempt by an attacker to remove its traces. + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus Restoration Abuse" + + The rule detects attempts to abuse Windows Defender file restoration tool. The Windows Defender process is allowed to write files in its own protected directory. This functionality can be used by a threat actor to overwrite Windows Defender files in order to prevent it from running correctly or use Windows Defender to execute a malicious DLL. + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Set-MpPreference Base64 Encoded" + + Detects changes of preferences for Windows Defender scan and updates. Configure Windows Defender using base64-encoded commands is suspicious and could be related to malicious activities. + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Signatures Removed With MpCmdRun" + + Detects attempts to remove Windows Defender Signatures using MpCmdRun legitimate Windows Defender executable. No signatures mean Windows Defender will be less effective (or completely useless depending on the option used). + + - **Effort:** elementary + +??? abstract "Microsoft Office Creating Suspicious File" + + Detects Microsoft Office process (word, excel, powerpoint) creating a suspicious file which corresponds to a script or an executable. This behavior highly corresponds to an executed macro which loads an installation script or a malware payload. The rule requires to log for File Creations to work properly, which can be done through Sysmon Event ID 11. + + - **Effort:** master + +??? abstract "Mshta JavaScript Execution" + + Identifies suspicious mshta.exe commands that execute JavaScript supplied as a command line argument. + + - **Effort:** elementary + +??? abstract "NTDS.dit File In Suspicious Directory" + + The file NTDS.dit is supposed to be located mainly in C:\Windows\NTDS. The rule checks whether the file is in a legitimate directory or not (through file creation events). This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes. + + - **Effort:** advanced + +??? abstract "NTDS.dit File Interaction Through Command Line" + + Detects interaction with the file NTDS.dit through command line. This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes. + + - **Effort:** intermediate + +??? abstract "Net.exe User Account Creation" + + Identifies creation of local users via the net.exe command + + - **Effort:** master + +??? abstract "NetSh Used To Disable Windows Firewall" + + Detects NetSh commands used to disable the Windows Firewall + + - **Effort:** intermediate + +??? abstract "Netsh Allow Command" + + Netsh command line to allow a program to pass through firewall. + + - **Effort:** advanced + +??? abstract "Netsh Allowed Python Program" + + Detects netsh command that performs modification on Firewall rules to allow the program python.exe. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else. + + - **Effort:** intermediate + +??? abstract "Netsh Port Forwarding" + + Detects netsh commands that enable a port forwarding between to hosts. This can be used by attackers to tunnel RDP or SMB shares for example. + + - **Effort:** elementary + +??? abstract "Netsh Port Opening" + + Detects netsh commands that opens a specific port. Can be used by malware or attackers for lateralisation/exfiltration (e.g. SMB/RDP opening). + + - **Effort:** master + +??? abstract "Netsh RDP Port Forwarding" + + Detects netsh commands that configure a port forwarding of port 3389 used for RDP. This is commonly used by attackers during lateralization on windows environments. + + - **Effort:** elementary + +??? abstract "Netsh RDP Port Opening" + + Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware + + - **Effort:** intermediate + +??? abstract "Network Scanning and Discovery" + + Tools and command lines used for network discovery from current system + + - **Effort:** advanced + +??? abstract "Network Sniffing" + + List of common tools used for network packages sniffing + + - **Effort:** advanced + +??? abstract "Network Sniffing Windows" + + Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. + + - **Effort:** intermediate + +??? abstract "New DLL Added To AppCertDlls Registry Key" + + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** intermediate + +??? abstract "New Service Creation" + + Detects creation of a new service from command line + + - **Effort:** advanced + +??? abstract "Ngrok Process Execution" + + Detects possible Ngrok execution, which can be used by attacker for RDP tunneling. + + - **Effort:** intermediate + +??? abstract "NlTest Usage" + + Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain. + + - **Effort:** intermediate + +??? abstract "Non-Legitimate Executable Using AcceptEula Parameter" + + Detects accepteula in command line with non-legitimate executable name. Some attackers are masquerading SysInternals tools with decoy names to prevent detection. + + - **Effort:** intermediate + +??? abstract "OneNote Embedded File" + + Detects creation or uses of OneNote embedded files with unusual extensions. + + - **Effort:** intermediate + +??? abstract "Opening Of a Password File" + + Command line detection of common office software opening some password related file. It could be a security breach if an unauthorized user access it. + + - **Effort:** advanced + +??? abstract "Outlook Registry Access" + + Detection of accesses to Microsoft Outlook registry hive, which might contain sensitive information. + + - **Effort:** elementary + +??? abstract "Package Manager Alteration" + + Package manager (eg: apt, yum) can be altered to install malicious software + + - **Effort:** advanced + +??? abstract "PasswordDump SecurityXploded Tool" + + Detects the execution of the PasswordDump SecurityXploded Tool + + - **Effort:** elementary + +??? abstract "Phorpiex DriveMgr Command" + + Detects specific command used by the Phorpiex botnet to execute a copy of the loader during its self-spreading stage. As described by Microsoft, this behavior is unique and easily identifiable due to the use of folders named with underscores "__" and the PE name "DriveMgr.exe". + + - **Effort:** elementary + +??? abstract "Phorpiex Process Masquerading" + + Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long. + + - **Effort:** elementary + +??? abstract "Possible Malicious File Double Extension" + + Detects request to potential malicious file with double extension + + - **Effort:** elementary + +??? abstract "Potential DNS Tunnel" + + Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels. + + - **Effort:** advanced + +??? abstract "PowerCat Function Loading" + + Detect a basic execution of PowerCat. PowerCat is a PowerShell function allowing to do basic connections, file transfer, shells, relays, generate payloads. + + - **Effort:** intermediate + +??? abstract "PowerShell AMSI Deactivation Bypass Using .NET Reflection" + + Detects Request to amsiInitFailed that can be used to disable AMSI (Antimalware Scan Interface) Scanning. More information about Antimalware Scan Interface https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal. + + - **Effort:** elementary + +??? abstract "PowerShell Downgrade Attack" + + Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 + + - **Effort:** elementary + +??? abstract "PowerShell Download From URL" + + Detects a Powershell process that contains download commands in its command line string + + - **Effort:** intermediate + +??? abstract "PowerShell EncodedCommand" + + Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option. + + - **Effort:** advanced + +??? abstract "PowerShell Execution Via Rundll32" + + Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll Rule modified + + - **Effort:** intermediate + +??? abstract "PowerShell Malicious Nishang PowerShell Commandlets" + + Detects Commandlet names and arguments from the Nishang exploitation framework + + - **Effort:** advanced + +??? abstract "Powershell UploadString Function" + + Powershell's `uploadXXX` functions are a category of methods which can be used to exfiltrate data through native means on a Windows host. + + - **Effort:** intermediate + +??? abstract "Powershell Web Request" + + Detects the use of various web request methods executed remotely via Windows PowerShell + + - **Effort:** advanced + +??? abstract "Process Memory Dump Using Comsvcs" + + Detects the use of comsvcs in command line to dump a specific proces memory. This techinique is widlely used by attackers for privilege escalation and pivot. + + - **Effort:** elementary + +??? abstract "Process Memory Dump Using Rdrleakdiag" + + Detects the use of rdrleakdiag.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot. + + - **Effort:** elementary + +??? abstract "Process Trace Alteration" + + PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process. + + - **Effort:** advanced + +??? abstract "ProxyShell Exchange Suspicious Paths" + + Detects suspicious calls to Exchange resources, in locations related to webshells observed in campaigns using this vulnerability. + + - **Effort:** elementary + +??? abstract "PsExec Process" + + Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators. + + - **Effort:** advanced + +??? abstract "Python HTTP Server" + + Detects command used to start a Simple HTTP server in Python. Threat actors could use it for data extraction, hosting a webshell or else. + + - **Effort:** intermediate + +??? abstract "Python Offensive Tools and Packages" + + Track installation and usage of offensive python packages and project that are used for lateral movement + + - **Effort:** master + +??? abstract "Qakbot Persistence Using Schtasks" + + Detects possible Qakbot persistence using schtasks. + + - **Effort:** intermediate + +??? abstract "RDP Session Discovery" + + Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server. + + - **Effort:** advanced + +??? abstract "RTLO Character" + + Detects RTLO (Right-To-Left character) in file and process names. + + - **Effort:** elementary + +??? abstract "RYUK Ransomeware - martinstevens Username" + + Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020. + + - **Effort:** elementary + +??? abstract "Raccine Uninstall" + + Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. + + - **Effort:** elementary + +??? abstract "Rclone Process" + + Detects Rclone executable or Rclone execution by using the process name, the execution through a command obfuscated or not. + + - **Effort:** advanced + +??? abstract "RedMimicry Winnti Playbook Registry Manipulation" + + Detects actions caused by the RedMimicry Winnti playbook. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** elementary + +??? abstract "Rubeus Tool Command-line" + + Detects command line parameters used by Rubeus, a toolset to interact with Kerberos and abuse it. + + - **Effort:** advanced + +??? abstract "SEKOIA.IO Intelligence Feed" + + Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team. + + - **Effort:** elementary + +??? abstract "SOCKS Tunneling Tool" + + Detects the usage of a SOCKS tunneling tool, often used by threat actors. These tools often use the socks5 commandline argument, however socks4 can sometimes be used as well. Unfortunately, socks alone (without any number) triggered too many false positives. + + - **Effort:** intermediate + +??? abstract "SSH Authorized Key Alteration" + + The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision + + - **Effort:** advanced + +??? abstract "Schtasks Persistence With High Privileges" + + Detection of scheduled task with high privileges used by attacker for persistence. + + - **Effort:** elementary + +??? abstract "SolarWinds Suspicious File Creation" + + Detects SolarWinds process creating a file with a suspicious extension. The process solarwinds.businesslayerhost.exe created an unexpected file whose extension is ".exe", ".ps1", ".jpg", ".png" or ".dll". + + - **Effort:** intermediate + +??? abstract "Spyware Persistence Using Schtasks" + + Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring). + + - **Effort:** intermediate + +??? abstract "Suncrypt Parameters" + + Detects SunCrypt ransomware's parameters, most of which are unique. + + - **Effort:** elementary + +??? abstract "Suspicious ADSI-Cache Usage By Unknown Tool" + + Detects the usage of ADSI (LDAP) operations by tools. This may also detect tools like LDAPFragger. It needs file monitoring capabilities (Sysmon Event ID 11 with .sch file creation logging). + + - **Effort:** advanced + +??? abstract "Suspicious Cmd File Copy Command To Network Share" + + Copy suspicious files through Windows cmd prompt to network share + + - **Effort:** intermediate + +??? abstract "Suspicious Control Process" + + Detects suspicious execution of control.exe process when used to execute a DLL file. + + - **Effort:** advanced + +??? abstract "Suspicious DLL Loading By Ordinal" + + Detects suspicious DLL Loading by ordinal number in a non legitimate or rare folders. For example, Sofacy (APT28) used this technique to load their Trojan in a campaign of 2018. + + - **Effort:** intermediate + +??? abstract "Suspicious Double Extension" + + Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns + + - **Effort:** elementary + +??? abstract "Suspicious Finger Usage" + + Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays. An attacker can use finger to silently retrieve a command, a script or a payload from a remote server. For example, the tool Darkfinger-C2 uses this technique to download files from the C2 channel. + + - **Effort:** intermediate + +??? abstract "Suspicious Headless Web Browser Execution To Download File" + + Detects a suspicious command used to execute a Chromium-based web browser (Chrome or Edge) using the headless mode, meaning that the browser window wouldn't be visible, and the dump mode to download a file. This technique can be used to fingerprint the compromised host, in particular by the Ducktail infostealer. + + - **Effort:** elementary + +??? abstract "Suspicious Microsoft Defender Antivirus Exclusion Command" + + Detects PowerShell commands aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning. These commands can be used by attackers or malware to avoid being detected by Windows Defender. Depending on the environment and the installed software, this detection rule could raise false positives. We recommend customizing this rule by filtering legitimate processes that use Windows Defender exclusion command in your environment. + + - **Effort:** master + +??? abstract "Suspicious Mshta Execution" + + Detects suspicious mshta.exe execution patterns, either involving file polyglotism, remote file (http, ftp or ldap) or suspicious location. This technique is often used by threat actors. + + - **Effort:** intermediate + +??? abstract "Suspicious Netsh DLL Persistence" + + Detects persitence via netsh helper. Netsh interacts with other operating system components using dynamic-link library (DLL) files. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. + + - **Effort:** elementary + +??? abstract "Suspicious Network Args In Command Line" + + Detection on some commonly observed suspicious processes command lines using HTTP schema with port 443. + + - **Effort:** intermediate + +??? abstract "Suspicious PowerShell Invocations - Specific" + + Detects suspicious PowerShell invocation command parameters + + - **Effort:** intermediate + +??? abstract "Suspicious PrinterPorts Creation (CVE-2020-1048)" + + Detects new commands that add new printer port which point to suspicious file + + - **Effort:** advanced + +??? abstract "Suspicious Rundll32.exe Execution" + + The process rundll32.exe executes a newly dropped DLL with update /i in the command line. This specific technic was observed at least being used by the IcedID loading mechanism dubbed Gziploader. + + - **Effort:** intermediate + +??? abstract "Suspicious Taskkill Command" + + Detects rare taskkill command being used. It could be related to Baby Shark malware. + + - **Effort:** intermediate + +??? abstract "Suspicious URI Used In A Lazarus Campaign" + + Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised. + + - **Effort:** intermediate + +??? abstract "Suspicious VBS Execution Parameter" + + Detects suspicious VBS file execution with a specific parameter by cscript. It was observed in the Operation CloudHopper. + + - **Effort:** elementary + +??? abstract "Suspicious Windows Installer Execution" + + Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server. + + - **Effort:** intermediate + +??? abstract "Suspicious Windows Script Execution" + + Detects wscript.exe or cscript.exe executing a script in user directories (C:\ProgramData or C:\Users) with a .txt extension, which is very suspicious. It could strongly correspond to a malware dropper, as seen during SquirrelWaffle maldoc campaign. + + - **Effort:** intermediate + +??? abstract "Suspicious certutil command" + + Detects suspicious certutil command which can be used by threat actors to download and/or decode payload. + + - **Effort:** intermediate + +??? abstract "Suspicious desktop.ini Action" + + Detects unusual processes accessing desktop.ini, which can be leveraged to alter how Explorer displays a folder's content (i.e. renaming files) without changing them on disk. + + - **Effort:** advanced + +??? abstract "Sysprep On AppData Folder" + + Detects suspicious Sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec). Sysprep is a Windows tool used to change Windows images from a generalized state to a specialized state, and then back to a generalized state. It can be used to remove all system-specific information and reset the computer. + + - **Effort:** intermediate + +??? abstract "System Info Discovery" + + System info discovery, attempt to detects basic command use to fingerprint a host + + - **Effort:** master + +??? abstract "Telegram Bot API Request" + + Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind + + - **Effort:** advanced + +??? abstract "Usage Of Procdump With Common Arguments" + + Detects the usage of Procdump sysinternals tool with some common arguments and followed by common patterns. + + - **Effort:** intermediate + +??? abstract "WCE wceaux.dll Creation" + + Detects wceaux.dll creation while Windows Credentials Editor (WCE) is executed. + + - **Effort:** intermediate + +??? abstract "WMI Install Of Binary" + + Detection of WMI used to install a binary on the host. It is often used by attackers as a signed binary to infect an host. + + - **Effort:** elementary + +??? abstract "WMI Persistence Script Event Consumer File Write" + + Detects file writes through WMI script event consumer. + + - **Effort:** advanced + +??? abstract "WMIC Uninstall Product" + + Detects products being uninstalled using WMIC command. + + - **Effort:** intermediate + +??? abstract "Webshell Creation" + + Detects possible webshell file creation. It requires File Creation monitoring, which can be done using Sysmon's Event ID 11. However the recommended SwiftOnSecurity configuration does not fully cover the needs for this rule, it needs to be updated with the proper file names extensions. + + - **Effort:** master + +??? abstract "WiFi Credentials Harvesting Using Netsh" + + Detects the harvesting of WiFi credentials using netsh.exe, used in particular by Agent Tesla (RAT) and Turla Mosquito (RAT) + + - **Effort:** elementary + +??? abstract "Windows Firewall Changes" + + Detects changes on Windows Firewall configuration + + - **Effort:** master + +??? abstract "Wmic Process Call Creation" + + The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands. Although WMI is supposed to be an administration tool, it is wildy abused by threat actors. One of the reasons is WMI is quite stealthy. This rule detects the wmic command line launching a process on a remote or local host. + + - **Effort:** intermediate + +??? abstract "Wmic Service Call" + + Detects either remote or local code execution using wmic tool. + + - **Effort:** intermediate + +??? abstract "XCopy Suspicious Usage" + + Detects the usage of xcopy with suspicious command line options (used by Judgment Panda APT in the past). The rule is based on command line only in case xcopy is renamed. + + - **Effort:** advanced + +??? abstract "XSL Script Processing And SquiblyTwo Attack" + + Detection of an attack where adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Another variation of this technique, dubbed "Squiblytwo", involves to invoke JScript or VBScript within an XSL file. + + - **Effort:** intermediate + +??? abstract "xWizard Execution" + + Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. + + - **Effort:** master diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md index df520c80c0..c54b77d19d 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.md @@ -45,6 +45,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **CrowdStrike Falcon** with th - **Effort:** intermediate +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "BITSAdmin Download" Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md index c8aed0f497..4b1c33f994 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.md @@ -159,6 +159,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **Sekoia.io Endpoint Agent** w - **Effort:** elementary +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Autorun Keys Modification" Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13). diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md index 867b78d618..4948b7151b 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.md @@ -63,6 +63,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **Azure Windows** with the fol - **Effort:** elementary +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Autorun Keys Modification" Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13). diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md index 4bf79a9afd..894d45d5cd 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.md @@ -57,6 +57,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **HarfangLab** with the follow - **Effort:** intermediate +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Autorun Keys Modification" Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13). diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md index 0d653877ea..d2a447fa46 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.md @@ -45,6 +45,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **SentinelOne Cloud Funnel 2.0 - **Effort:** intermediate +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Autorun Keys Modification" Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13). diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md index a1cac2d9ac..7ebc02f89b 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md @@ -15,6 +15,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **Broadcom/Symantec Endpoint S - **Effort:** advanced +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Bloodhound and Sharphound Tools Usage" Detects default process names and default command line parameters used by Bloodhound and Sharphound tools. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md index a451fa7c32..0191b3e6d9 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.md @@ -45,6 +45,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **Cisco NX-OS [BETA]** with th - **Effort:** intermediate +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "BITSAdmin Download" Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md index 9ba1046641..10c9f45a01 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.md @@ -45,6 +45,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **SentinelOne Cloud Funnel 1.0 - **Effort:** intermediate +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "BITSAdmin Download" Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md index d8bb2718ad..446047f0bc 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.md @@ -45,6 +45,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **TEHTRIS Endpoint Detection & - **Effort:** intermediate +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "BITSAdmin Download" Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md index 8ddbcbccc6..836655bea6 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.md @@ -171,6 +171,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **Windows** with the following - **Effort:** elementary +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + ??? abstract "Autorun Keys Modification" Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13). diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md index aa1cc2569c..7cbf1d8085 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md @@ -225,6 +225,12 @@ Benefit from SEKOIA.IO built-in rules and upgrade **Office 365** with the follow - **Effort:** elementary +??? abstract "Microsoft 365 Sign-in With No User Agent" + + Detects a sign-in without any User-Agent header. This may indicate that the sign-in originated from an adversary-in-the-middle phishing tool. Sign-ins happenning through a regular web browser always have a User-Agent header. + + - **Effort:** elementary + ??? abstract "Microsoft 365 Suspicious Inbox Rule" Business Email Compromise threat actors often create inbox rules to forward, hide, or delete emails containing sensitive information. This rule detects common caracteristics of malicious inbox rules. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md new file mode 100644 index 0000000000..4fda6f8e95 --- /dev/null +++ b/_shared_content/operations_center/detection/generated/suggested_rules_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.md @@ -0,0 +1,1474 @@ +## Related Built-in Rules + +Benefit from SEKOIA.IO built-in rules and upgrade **StormShield Endpoint Security [BETA]** with the following detection capabilities out-of-the-box. + +[SEKOIA.IO x StormShield Endpoint Security [BETA] on ATT&CK Navigator](https://mitre-attack.github.io/attack-navigator/#layerURL=https%3A%2F%2Fraw.githubusercontent.com%2FSEKOIA-IO%2Fdocumentation%2Fmain%2F_shared_content%2Foperations_center%2Fdetection%2Fgenerated%2Fattack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json){ .md-button } +??? abstract "AccCheckConsole Executing Dll" + + Detects suspicious LOLBIN AccCheckConsole execution with parameters as used to load an arbitrary DLL. + + - **Effort:** advanced + +??? abstract "AdFind Usage" + + Detects the usage of the AdFind tool. AdFind.exe is a free tool that extracts information from Active Directory. Wizard Spider (Bazar, TrickBot, Ryuk), FIN6 and MAZE operators have used AdFind.exe to collect information about Active Directory organizational units and trust objects + + - **Effort:** elementary + +??? abstract "Add User to Privileged Group" + + Add user in a potential privileged group which can be used to elevate privileges on the system + + - **Effort:** advanced + +??? abstract "Address Space Layout Randomization (ASLR) Alteration" + + ASLR is a security feature used by the Operating System to mitigate memory exploit, attacker might want to disable it + + - **Effort:** intermediate + +??? abstract "Adexplorer Usage" + + Detects the usage of Adexplorer, a legitimate tool from the Sysinternals suite that could be abused by attackers as it can saves snapshots of the Active Directory Database. + + - **Effort:** advanced + +??? abstract "Advanced IP Scanner" + + Detects the use of Advanced IP Scanner. Seems to be a popular tool for ransomware groups. + + - **Effort:** master + +??? abstract "Audio Capture via PowerShell" + + Detects audio capture via PowerShell Cmdlet + + - **Effort:** intermediate + +??? abstract "AutoIt3 Execution From Suspicious Folder" + + Detects AutoIt3 execution from an unusual/suspicious folder. Legitimate folders are "Program Files" and "AppData\\Local". AutoIt3.exe is a legitimate process used to execute AutoIt program files, which are used by legitimate software, custom scripts, but also malware. Finding AutoIt3 execution from unusual/suspicious folder can help detect malware activities, such as DarkGate execution. The detection rule can be tailored to your environment and your use of AutoIt3 by filtering out folder's execution of legitimate applications or scripts. + + - **Effort:** advanced + +??? abstract "Autorun Keys Modification" + + Detects modification of autostart extensibility point (ASEP) in registry. Prerequisites are Logging for Registry events in the Sysmon configuration (events 12 and 13). + + - **Effort:** master + +??? abstract "BITSAdmin Download" + + Detects command to download file using BITSAdmin, a built-in tool in Windows. This technique is used by several threat actors to download scripts or payloads on infected system. + + - **Effort:** advanced + +??? abstract "BazarLoader Persistence Using Schtasks" + + Detects possible BazarLoader persistence using schtasks. BazarLoader will create a Scheduled Task using a specific command line to establish its persistence. + + - **Effort:** intermediate + +??? abstract "Bloodhound and Sharphound Tools Usage" + + Detects default process names and default command line parameters used by Bloodhound and Sharphound tools. + + - **Effort:** intermediate + +??? abstract "Blue Mockingbird Malware" + + Attempts to detect system changes made by Blue Mockingbird + + - **Effort:** elementary + +??? abstract "CMSTP Execution" + + Detects various indicators of Microsoft Connection Manager Profile Installer execution + + - **Effort:** intermediate + +??? abstract "CMSTP UAC Bypass via COM Object Access" + + Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects + + - **Effort:** intermediate + +??? abstract "CVE 2022-1292" + + The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. + + - **Effort:** advanced + +??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit" + + Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA. + + - **Effort:** elementary + +??? abstract "CVE-2020-17530 Apache Struts RCE" + + Detects the exploitation of the Apache Struts vulnerability (CVE-2020-17530). + + - **Effort:** intermediate + +??? abstract "CVE-2021-20021 SonicWall Unauthenticated Administrator Access" + + Detects the exploitation of SonicWall Unauthenticated Admin Access. + + - **Effort:** advanced + +??? abstract "CVE-2021-20023 SonicWall Arbitrary File Read" + + Detects Arbitrary File Read, which can be used with other vulnerabilities as a mean to obtain outputs generated by attackers, or sensitive data. + + - **Effort:** advanced + +??? abstract "CVE-2021-22893 Pulse Connect Secure RCE Vulnerability" + + Detects potential exploitation of the authentication by-pass vulnerability that can allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway. It is highly recommended to apply the Pulse Secure mitigations and seach for indicators of compromise on affected servers if you are in doubt over the integrity of your Pulse Connect Secure product. + + - **Effort:** intermediate + +??? abstract "Capture a network trace with netsh.exe" + + Detects capture a network trace via netsh.exe trace functionality + + - **Effort:** intermediate + +??? abstract "CertOC Loading Dll" + + Detects when a user installs certificates by using CertOC.exe to loads the target DLL file. + + - **Effort:** intermediate + +??? abstract "Certificate Authority Modification" + + Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations. + + - **Effort:** master + +??? abstract "Change Default File Association" + + When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access or by administrators using the built-in assoc utility. Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened. + + - **Effort:** advanced + +??? abstract "Clear EventLogs Through CommandLine" + + Detects a command that clears event logs which could indicate an attempt from an attacker to erase its previous traces. + + - **Effort:** intermediate + +??? abstract "Cmd.exe Used To Run Reconnaissance Commands" + + Detects command lines with suspicious args + + - **Effort:** advanced + +??? abstract "Cmdkey Cached Credentials Recon" + + Detects usage of cmdkey to look for cached credentials. + + - **Effort:** intermediate + +??? abstract "Commonly Used Commands To Stop Services And Remove Backups" + + Detects specific commands used regularly by ransomwares to stop services or remove backups + + - **Effort:** intermediate + +??? abstract "Control Panel Items" + + Detects the malicious use of a control panel item + + - **Effort:** advanced + +??? abstract "Copying Browser Files With Credentials" + + Detects copy of sensitive data (passwords, cookies, credit cards) included in web browsers files. + + - **Effort:** elementary + +??? abstract "Copying Sensitive Files With Credential Data" + + Detects copy of files with well-known filenames (sensitive files with credential data) using esentutl. This requires Windows Security event log with the Detailed File Share logging policy enabled. + + - **Effort:** elementary + +??? abstract "Cron Files Alteration" + + Cron Files and Cron Directory alteration used by attacker for persistency or privilege escalation. + + - **Effort:** advanced + +??? abstract "Csrss Child Found" + + The csrss.exe process (csrss stands for Client / Server Runtime Subsystem) is a generic Windows process used to manage windows and Windows graphics. This process should not create a child process or it is very rare. + + - **Effort:** intermediate + +??? abstract "Csrss Wrong Parent" + + The csrss.exe process (csrss stands for Client / Server Runtime Subsystem) is a generic Windows process used to manage windows and Windows graphics. This rule analyse if the parent of this process is a legitimate one or not. + + - **Effort:** advanced + +??? abstract "DNS Exfiltration and Tunneling Tools Execution" + + Well-known DNS exfiltration tools execution + + - **Effort:** intermediate + +??? abstract "DNS Tunnel Technique From MuddyWater" + + Detecting DNS Tunnel Activity For Muddywater intrusion set. This is the loading of a specific DLL from an Excel macro which is detected. + + - **Effort:** elementary + +??? abstract "Data Compressed With Rar" + + An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. + + - **Effort:** master + +??? abstract "Data Compressed With Rar With Password" + + An adversary may compress data in order to make it portable and minimize the amount of data sent over the network, this could be done the popular rar command line program. This is a more specific one for rar where the arguments allow to encrypt both file data and headers with a given password. + + - **Effort:** intermediate + +??? abstract "Debugging Software Deactivation" + + Deactivation of some debugging softwares using taskkill command. It was observed being used by Ransomware operators. + + - **Effort:** elementary + +??? abstract "Default Encoding To UTF-8 PowerShell" + + Detects PowerShell encoding to UTF-8, which is used by Sliver implants. The command line just sets the default encoding to UTF-8 in PowerShell. + + - **Effort:** advanced + +??? abstract "Detect requests to Konni C2 servers" + + This rule detects requests to Konni C2 servers. These patterns come from an analysis done in 2022, September. + + - **Effort:** elementary + +??? abstract "Disable Task Manager Through Registry Key" + + Detects commands used to disable the Windows Task Manager by modifying the proper registry key in order to impair security tools. This technique is used by the Agent Tesla RAT, among others. + + - **Effort:** elementary + +??? abstract "Disable Workstation Lock" + + Registry change in order to disable the ability to lock the computer by using CTRL+ALT+DELETE or CTRL+L. This registry key does not exist by default. Its creation is suspicious and the value set to "1" means an activation. It has been used by FatalRAT, but other attacker/malware could probably use it. This rule needs Windows Registry changes (add,modification,deletion) logging which can be done through Sysmon Event IDs 12,13,14. + + - **Effort:** elementary + +??? abstract "Disabled IE Security Features" + + Detects from the command lines or the registry, changes that indicate unwanted modifications to registry keys that disable important Internet Explorer security features. This has been used by attackers during Operation Ke3chang. + + - **Effort:** advanced + +??? abstract "Dllhost Wrong Parent" + + Dllhost.exe is a process belonging to Microsoft Windows Operating System. The dllhost.exe file manages DLL based applications. This rule analyse if the parent of this process is a legitimate one or not. + + - **Effort:** elementary + +??? abstract "Domain Group And Permission Enumeration" + + Detects adversaries attempts to find domain-level groups and permission settings. Commands such as net group /domain of the Net utility can list domain-level groups The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators. Wizard Spider, FIN6, and other groups used net in their campaigns. + + - **Effort:** advanced + +??? abstract "Domain Trust Discovery Through LDAP" + + Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. "trustedDomain" which is detected here is a Microsoft Active Directory ObjectClass Type that represents a domain that is trusted by, or trusting, the local AD DOMAIN. Several tools are using LDAP queries in the end to get the information (DSQuery, sometimes ADFind as well, etc.) + + - **Effort:** elementary + +??? abstract "Download Files From Suspicious TLDs" + + Detects download of certain file types from hosts in suspicious TLDs + + - **Effort:** master + +??? abstract "Dynamic Linker Hijacking From Environment Variable" + + LD_PRELOAD and LD_LIBRARY_PATH are environment variables used by the Operating System at the runtime to load shared objects (library.ies) when executing a new process, attacker can overwrite this variable to attempts a privileges escalation. + + - **Effort:** advanced + +??? abstract "ETW Tampering" + + Detects a command that clears or disables any ETW Trace log which could indicate a logging evasion + + - **Effort:** intermediate + +??? abstract "Elise Backdoor" + + Detects Elise backdoor activity as used by Lotus Blossom + + - **Effort:** elementary + +??? abstract "Empire Monkey Activity" + + Detects EmpireMonkey APT reported Activity + + - **Effort:** elementary + +??? abstract "Equation Group DLL_U Load" + + Detects a specific tool and export used by EquationGroup + + - **Effort:** elementary + +??? abstract "Erase Shell History" + + Malware and attacker try to reduce their fingerprints on compromised host by deleting shell history + + - **Effort:** advanced + +??? abstract "Exchange Mailbox Export" + + Detection of a standard Exchange Mailbox export, which stores all mails from a user in a pst file. + + - **Effort:** intermediate + +??? abstract "Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data" + + Detects PowerShell SnapIn command line, often used with Get-Mailbox to export Exchange mailbox data. + + - **Effort:** intermediate + +??? abstract "Exchange Server Spawning Suspicious Processes" + + Look for Microsoft Exchange Server’s Unified Messaging service spawning suspicious sub-processes, suggesting exploitation of CVE-2021-26857 vulnerability. + + - **Effort:** intermediate + +??? abstract "Exfiltration And Tunneling Tools Execution" + + Execution of well known tools for data exfiltration and tunneling + + - **Effort:** advanced + +??? abstract "Exfiltration Domain In Command Line" + + Detects commands containing a domain linked to http exfiltration. + + - **Effort:** intermediate + +??? abstract "Exploit For CVE-2015-1641" + + Detects Winword process starting uncommon sub process MicroScMgmt.exe as used in exploits for CVE-2015-1641 + + - **Effort:** elementary + +??? abstract "Exploit For CVE-2017-0261 Or CVE-2017-0262" + + Detects Winword starting uncommon sub process FLTLDR.exe as used in exploits for CVE-2017-0261 and CVE-2017-0262. This is a very basic detection method relying on the rare usage of EPS files from Winword. + + - **Effort:** advanced + +??? abstract "Exploited CVE-2020-10189 Zoho ManageEngine" + + Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 + + - **Effort:** elementary + +??? abstract "Exploiting SetupComplete.cmd CVE-2019-1378" + + Detects exploitation attempts of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 + + - **Effort:** intermediate + +??? abstract "Explorer Process Executing HTA File" + + Detects a suspicious execution of an HTA file by the explorer.exe process. This unusual activity was observed when running IcedID malspam. + + - **Effort:** intermediate + +??? abstract "Explorer Wrong Parent" + + Detects suspicious spawning of explorer.exe process created by the rundll32.exe or regsvr32.exe. This behaviour is abnormal. Malware injecting itself into the explorer.exe process is quite common, in order to evade process-based defenses. + + - **Effort:** elementary + +??? abstract "Fail2ban Unban IP" + + An IP was ubaned by Fail2ban. It could be use to allow malicous traffic. + + - **Effort:** advanced + +??? abstract "File Or Folder Permissions Modifications" + + Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. + + - **Effort:** master + +??? abstract "FlowCloud Malware" + + Detects FlowCloud malware from threat group TA410. This requires Windows Event registry logging. + + - **Effort:** elementary + +??? abstract "Formbook Hijacked Process Command" + + Detects process hijacked by Formbook malware which executes specific commands to delete the dropper or copy browser credentials to the database before sending them to the C2. + + - **Effort:** intermediate + +??? abstract "Grabbing Sensitive Hives Via Reg Utility" + + Detects dump of SAM, System or Security hives using reg.exe utility. Adversaries may attempt to dump these Windows Registry to retrieve password hashes and access credentials. + + - **Effort:** intermediate + +??? abstract "HackTools Suspicious Process Names In Command Line" + + Detects the default process name of several HackTools and also check in command line. This rule is here for quickwins as it obviously has many blind spots. + + - **Effort:** intermediate + +??? abstract "Hiding Files With Attrib.exe" + + Detects usage of attrib.exe to hide files from users. + + - **Effort:** advanced + +??? abstract "High Privileges Network Share Removal" + + Detects high privileges shares being deleted with the net share command. + + - **Effort:** intermediate + +??? abstract "Hijack Legit RDP Session To Move Laterally" + + Identifies suspicious file creations in the startup folder of a remote system. An adversary could abuse this to move laterally by dropping a malicious script or executable that will be executed after a reboot or user logon. + + - **Effort:** intermediate + +??? abstract "ICacls Granting Access To All" + + Detects suspicious icacls command granting access to all, used by the ransomware Ryuk to delete every access-based restrictions on files and directories. ICacls is a built-in Windows command to interact with the Discretionary Access Control Lists (DACLs) which can grand adversaries higher permissions on specific files and folders. + + - **Effort:** elementary + +??? abstract "IIS Module Installation Using AppCmd" + + Detects the installation of a new IIS module from the command line. It can used used to backdoor an IIS/OWA/Sharepoint server. + + - **Effort:** intermediate + +??? abstract "IcedID Execution Using Excel" + + Detects Excel spawning a process (rundll32 or wmic) running suspicious command-line. This behaviour could correspond to IcedID activity. + + - **Effort:** elementary + +??? abstract "Impacket Wmiexec Module" + + Detection of impacket's wmiexec example, used by attackers to execute commands remotely. + + - **Effort:** elementary + +??? abstract "Inhibit System Recovery Deleting Backups" + + Detects adversaries attempts to delete backups or inhibit system recovery. This rule relies on differents known techniques using Windows events logs from Sysmon (ID 1), and PowerShell (ID 4103, 4104). + + - **Effort:** intermediate + +??? abstract "KeePass Config XML In Command-Line" + + Detects a command-line interaction with the KeePass Config XML file. It could be used to retrieve informations or to be abused for persistence. + + - **Effort:** intermediate + +??? abstract "Kernel Module Alteration" + + Kernel module installation can be used to configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. + + - **Effort:** advanced + +??? abstract "Koadic Execution" + + Detects command line parameters used by Koadic hack tool + + - **Effort:** intermediate + +??? abstract "Koadic MSHTML Command" + + Detects Koadic payload using MSHTML module + + - **Effort:** intermediate + +??? abstract "Lazarus Loaders" + + Detects different loaders used by the Lazarus Group APT + + - **Effort:** elementary + +??? abstract "Leviathan Registry Key Activity" + + Detects registry key used by Leviathan APT in Malaysian focused campaign. + + - **Effort:** elementary + +??? abstract "List Shadow Copies" + + Detects command line used to list shadow copies. An adversary may attempt to get information on shadow volumes to perform deletion or extract password hashes from the ntds.dit file. This rule requires command line logging or Windows PowerShell events (4104). + + - **Effort:** master + +??? abstract "Listing Systemd Environment" + + Detects a listing of systemd environment variables. This command could be used to do reconnaissance on a compromised host. + + - **Effort:** elementary + +??? abstract "Logonui Wrong Parent" + + Logonui.exe is a file associated with the Logon user interface. The login user interface is an essential part of the Windows operating system. It doesn't only make it easy for the user to log in to the PC but also determines whether the user has logged in and logged out correctly and makes it easy to switch between users. This rule checks if the parent of this process is a legitimate one or not. + + - **Effort:** intermediate + +??? abstract "Lsass Wrong Parent" + + Lsass ensures the identification of users (domain users or local users). Domain users are identified based on information in the Active Directory. Local users are identified based on information from the Security Account Manager (SAM) local database. This rule checks if the parent of this process is a legitimate one or not. + + - **Effort:** intermediate + +??? abstract "MMC Spawning Windows Shell" + + Detects a Windows command line executable started from MMC process + + - **Effort:** intermediate + +??? abstract "MMC20 Lateral Movement" + + Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe. + + - **Effort:** intermediate + +??? abstract "MOFComp Execution" + + Detects rare usage of the Managed Object Format (MOF) compiler on Microsoft Windows. This could be abused by some attackers to load WMI classes. + + - **Effort:** intermediate + +??? abstract "MS Office Product Spawning Exe in User Dir" + + Detects an executable in the users directory started from Microsoft Word, Excel, Powerpoint, Publisher or Visio. This is a common technique used by attackers with documents embedding macros. It requires Windows command line logging events. + + - **Effort:** intermediate + +??? abstract "MSBuild Abuse" + + Detection of MSBuild uses by attackers to infect an host. Focuses on XML compilation which is a Metasploit payload, and on connections made by this process which is unusual. + + - **Effort:** intermediate + +??? abstract "Malicious Browser Extensions" + + Detects browser extensions being loaded with the --load-extension and -base-url options, which works on Chromium-based browsers. We are looking for potentially malicious browser extensions. These extensions can get access to informations. + + - **Effort:** advanced + +??? abstract "MalwareBytes Uninstallation" + + Detects command line being used by attackers to uninstall Malwarebytes. + + - **Effort:** intermediate + +??? abstract "MavInject Process Injection" + + Detects process injection using the signed Windows tool Mavinject32.exe (which is a LOLBAS) + + - **Effort:** intermediate + +??? abstract "Meterpreter or Cobalt Strike Getsystem Service Installation" + + Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting some of the techniques being used (technique 1,2 and 5). + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus Disable Scheduled Tasks" + + The rule detects attempts to deactivate/disable Windows Defender scheduled tasks via command line + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Disable Using Registry" + + The rule detects attempts to deactivate/disable Microsoft Defender Antivirus using registry modification via command line. + + - **Effort:** master + +??? abstract "Microsoft Defender Antivirus Disabled Base64 Encoded" + + Detects attempts to deactivate/disable Windows Defender through base64 encoded PowerShell command line. + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus History Directory Deleted" + + Windows Defender history directory has been deleted. Could be an attempt by an attacker to remove its traces. + + - **Effort:** elementary + +??? abstract "Microsoft Defender Antivirus Restoration Abuse" + + The rule detects attempts to abuse Windows Defender file restoration tool. The Windows Defender process is allowed to write files in its own protected directory. This functionality can be used by a threat actor to overwrite Windows Defender files in order to prevent it from running correctly or use Windows Defender to execute a malicious DLL. + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Set-MpPreference Base64 Encoded" + + Detects changes of preferences for Windows Defender scan and updates. Configure Windows Defender using base64-encoded commands is suspicious and could be related to malicious activities. + + - **Effort:** intermediate + +??? abstract "Microsoft Defender Antivirus Signatures Removed With MpCmdRun" + + Detects attempts to remove Windows Defender Signatures using MpCmdRun legitimate Windows Defender executable. No signatures mean Windows Defender will be less effective (or completely useless depending on the option used). + + - **Effort:** elementary + +??? abstract "Microsoft Office Product Spawning Windows Shell" + + Detects a Windows command or scripting interpreter executable started from Microsoft Word, Excel, Powerpoint, Publisher and Visio. This typically indicates the parent process launched a malicious macro, or run an exploit. This infection vector is very common and could lead to the deployment of harmful malware. + + - **Effort:** advanced + +??? abstract "Microsoft Office Spawning Script" + + Detects Microsoft Office process (word, excel, powerpoint) spawning wscript.exe or cscript.exe. This typically indicates the parent process launched a malicious macro, or run an exploit. This infection vector is very common and could lead to the deployment of harmful malware. + + - **Effort:** intermediate + +??? abstract "Mshta JavaScript Execution" + + Identifies suspicious mshta.exe commands that execute JavaScript supplied as a command line argument. + + - **Effort:** elementary + +??? abstract "Mshta Suspicious Child Process" + + Detects the use of various web request methods executed remotely via Windows PowerShell + + - **Effort:** intermediate + +??? abstract "NTDS.dit File Interaction Through Command Line" + + Detects interaction with the file NTDS.dit through command line. This is usually really suspicious and could indicate an attacker trying copy the file to then look for users password hashes. + + - **Effort:** intermediate + +??? abstract "Net.exe User Account Creation" + + Identifies creation of local users via the net.exe command + + - **Effort:** master + +??? abstract "NetSh Used To Disable Windows Firewall" + + Detects NetSh commands used to disable the Windows Firewall + + - **Effort:** intermediate + +??? abstract "Netsh Allow Command" + + Netsh command line to allow a program to pass through firewall. + + - **Effort:** advanced + +??? abstract "Netsh Allowed Python Program" + + Detects netsh command that performs modification on Firewall rules to allow the program python.exe. This activity is most likely related to the deployment of a Python server or an application that needs to communicate over a network. Threat actors could use it for data extraction, hosting a webshell or else. + + - **Effort:** intermediate + +??? abstract "Netsh Port Forwarding" + + Detects netsh commands that enable a port forwarding between to hosts. This can be used by attackers to tunnel RDP or SMB shares for example. + + - **Effort:** elementary + +??? abstract "Netsh Port Opening" + + Detects netsh commands that opens a specific port. Can be used by malware or attackers for lateralisation/exfiltration (e.g. SMB/RDP opening). + + - **Effort:** master + +??? abstract "Netsh Program Allowed With Suspicious Location" + + Detects Netsh commands that allow a suspcious application location on Windows Firewall, seen on kasidet worm. Last part of the existing rule (commandline startwith) was not added to this rule because it is not relevant. + + - **Effort:** intermediate + +??? abstract "Netsh RDP Port Forwarding" + + Detects netsh commands that configure a port forwarding of port 3389 used for RDP. This is commonly used by attackers during lateralization on windows environments. + + - **Effort:** elementary + +??? abstract "Netsh RDP Port Opening" + + Detects netsh commands that opens the port 3389 used for RDP, used in Sarwent Malware + + - **Effort:** intermediate + +??? abstract "Network Scanning and Discovery" + + Tools and command lines used for network discovery from current system + + - **Effort:** advanced + +??? abstract "Network Sniffing" + + List of common tools used for network packages sniffing + + - **Effort:** advanced + +??? abstract "Network Sniffing Windows" + + Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data. + + - **Effort:** intermediate + +??? abstract "New DLL Added To AppCertDlls Registry Key" + + Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs value in the Registry key can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** intermediate + +??? abstract "New Service Creation" + + Detects creation of a new service from command line + + - **Effort:** advanced + +??? abstract "Ngrok Process Execution" + + Detects possible Ngrok execution, which can be used by attacker for RDP tunneling. + + - **Effort:** intermediate + +??? abstract "NlTest Usage" + + Detects attempts to gather information on domain trust relationships that may be used to identify lateral movement opportunities. These command lines were observed in numerous attacks, but also sometimes from legitimate administrators for debugging purposes. The rule does not cover very basics commands but rather the ones that are interesting for attackers to gather information on a domain. + + - **Effort:** intermediate + +??? abstract "Non-Legitimate Executable Using AcceptEula Parameter" + + Detects accepteula in command line with non-legitimate executable name. Some attackers are masquerading SysInternals tools with decoy names to prevent detection. + + - **Effort:** intermediate + +??? abstract "OceanLotus Registry Activity" + + Detects registry keys created in OceanLotus (also known as APT32) attack. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** intermediate + +??? abstract "OneNote Suspicious Children Process" + + In January 2023, a peak of attacks using .one files was observed in the wild. This rule tries to detect the effect of such attempts using this technique. + + - **Effort:** elementary + +??? abstract "Opening Of a Password File" + + Command line detection of common office software opening some password related file. It could be a security breach if an unauthorized user access it. + + - **Effort:** advanced + +??? abstract "Outlook Registry Access" + + Detection of accesses to Microsoft Outlook registry hive, which might contain sensitive information. + + - **Effort:** elementary + +??? abstract "Package Manager Alteration" + + Package manager (eg: apt, yum) can be altered to install malicious software + + - **Effort:** advanced + +??? abstract "Pandemic Windows Implant" + + Detects Pandemic Windows Implant through registry keys or specific command lines. Prerequisites: Logging for Registry events is needed, which can be done in the Sysmon configuration (events 12 and 13). + + - **Effort:** intermediate + +??? abstract "PasswordDump SecurityXploded Tool" + + Detects the execution of the PasswordDump SecurityXploded Tool + + - **Effort:** elementary + +??? abstract "Phorpiex DriveMgr Command" + + Detects specific command used by the Phorpiex botnet to execute a copy of the loader during its self-spreading stage. As described by Microsoft, this behavior is unique and easily identifiable due to the use of folders named with underscores "__" and the PE name "DriveMgr.exe". + + - **Effort:** elementary + +??? abstract "Phorpiex Process Masquerading" + + Detects specific process executable path used by the Phorpiex botnet to masquerade its system process network activity. It looks for a pattern of a system process executable name that is not legitimate and running from a folder that is created via a random algorithm 13-15 numbers long. + + - **Effort:** elementary + +??? abstract "Possible Malicious File Double Extension" + + Detects request to potential malicious file with double extension + + - **Effort:** elementary + +??? abstract "PowerCat Function Loading" + + Detect a basic execution of PowerCat. PowerCat is a PowerShell function allowing to do basic connections, file transfer, shells, relays, generate payloads. + + - **Effort:** intermediate + +??? abstract "PowerShell AMSI Deactivation Bypass Using .NET Reflection" + + Detects Request to amsiInitFailed that can be used to disable AMSI (Antimalware Scan Interface) Scanning. More information about Antimalware Scan Interface https://docs.microsoft.com/en-us/windows/win32/amsi/antimalware-scan-interface-portal. + + - **Effort:** elementary + +??? abstract "PowerShell Downgrade Attack" + + Detects PowerShell downgrade attack by comparing the host versions with the actually used engine version 2.0 + + - **Effort:** elementary + +??? abstract "PowerShell Download From URL" + + Detects a Powershell process that contains download commands in its command line string + + - **Effort:** intermediate + +??? abstract "PowerShell EncodedCommand" + + Detects popular file extensions in commands obfuscated in base64 run through the EncodedCommand option. + + - **Effort:** advanced + +??? abstract "PowerShell Execution Via Rundll32" + + Detects PowerShell Strings applied to rundll as seen in PowerShdll.dll Rule modified + + - **Effort:** intermediate + +??? abstract "PowerShell Malicious Nishang PowerShell Commandlets" + + Detects Commandlet names and arguments from the Nishang exploitation framework + + - **Effort:** advanced + +??? abstract "Powershell UploadString Function" + + Powershell's `uploadXXX` functions are a category of methods which can be used to exfiltrate data through native means on a Windows host. + + - **Effort:** intermediate + +??? abstract "Powershell Web Request" + + Detects the use of various web request methods executed remotely via Windows PowerShell + + - **Effort:** advanced + +??? abstract "Process Memory Dump Using Comsvcs" + + Detects the use of comsvcs in command line to dump a specific proces memory. This techinique is widlely used by attackers for privilege escalation and pivot. + + - **Effort:** elementary + +??? abstract "Process Memory Dump Using Rdrleakdiag" + + Detects the use of rdrleakdiag.exe in command line to dump the memory of a process. This technique is used by attackers for privilege escalation and pivot. + + - **Effort:** elementary + +??? abstract "Process Trace Alteration" + + PTrace syscall provides a means by which one process ("tracer") may observe and control the execution of another process ("tracee") and examine and change the tracee's memory and registers. Attacker might want to abuse ptrace functionnality to analyse memory process. It requires to be admin or set ptrace_scope to 0 to allow all user to trace any process. + + - **Effort:** advanced + +??? abstract "ProxyShell Exchange Suspicious Paths" + + Detects suspicious calls to Exchange resources, in locations related to webshells observed in campaigns using this vulnerability. + + - **Effort:** elementary + +??? abstract "PsExec Process" + + Detects PsExec execution, command line which contains pstools or installation of the PsExec service. PsExec is a SysInternals which can be used to execute a program on another computer. The tool is as much used by attackers as by administrators. + + - **Effort:** advanced + +??? abstract "Python HTTP Server" + + Detects command used to start a Simple HTTP server in Python. Threat actors could use it for data extraction, hosting a webshell or else. + + - **Effort:** intermediate + +??? abstract "QakBot Process Creation" + + Detects QakBot like process executions + + - **Effort:** intermediate + +??? abstract "Qakbot Persistence Using Schtasks" + + Detects possible Qakbot persistence using schtasks. + + - **Effort:** intermediate + +??? abstract "RDP Sensitive Settings Changed" + + Detects changes to RDP terminal service sensitive settings. Logging for registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** advanced + +??? abstract "RDP Session Discovery" + + Detects use of RDP session discovery via qwinsta or quser. Used by some threat actors to know if someone is working via RDP on a server. + + - **Effort:** advanced + +??? abstract "RUN Registry Key Created From Suspicious Folder" + + Detects the suspicious RUN keys created by software located in Download or temporary Outlook/Internet Explorer directories. Prerequisites are logging for Registry events, which can be done with Sysmon (events 12 and 13). + + - **Effort:** advanced + +??? abstract "RYUK Ransomeware - martinstevens Username" + + Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020. + + - **Effort:** elementary + +??? abstract "Raccine Uninstall" + + Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. + + - **Effort:** elementary + +??? abstract "Rare Logonui Child Found" + + Logonui.exe is a file associated with the Logon user interface. The login user interface is an essential part of the Windows operating system. It not only makes it easy for the user to log in to the PC but also determines whether the user has logged in and logged out correctly and makes it easy to switch between users. This process could create a child process but it is very rare and could be a signal of some process injection. + + - **Effort:** advanced + +??? abstract "Rare Lsass Child Found" + + Lsass ensures the identification of users (domain users or local users). Domain users are identified based on information in the Active Directory. Local users are identified based on information from the Security Account Manager (SAM) local database. This process should not create a child process or it is very rare. + + - **Effort:** intermediate + +??? abstract "Rclone Process" + + Detects Rclone executable or Rclone execution by using the process name, the execution through a command obfuscated or not. + + - **Effort:** advanced + +??? abstract "RedMimicry Winnti Playbook Registry Manipulation" + + Detects actions caused by the RedMimicry Winnti playbook. Logging for Registry events is needed in the Sysmon configuration (events 12 and 13). + + - **Effort:** elementary + +??? abstract "Rubeus Tool Command-line" + + Detects command line parameters used by Rubeus, a toolset to interact with Kerberos and abuse it. + + - **Effort:** advanced + +??? abstract "SEKOIA.IO Intelligence Feed" + + Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team. + + - **Effort:** elementary + +??? abstract "SOCKS Tunneling Tool" + + Detects the usage of a SOCKS tunneling tool, often used by threat actors. These tools often use the socks5 commandline argument, however socks4 can sometimes be used as well. Unfortunately, socks alone (without any number) triggered too many false positives. + + - **Effort:** intermediate + +??? abstract "SSH Authorized Key Alteration" + + The file authorized_keys is used by SSH server to identify SSH keys that are authorized to connect to the host, alteration of one of those files might indicate a user compromision + + - **Effort:** advanced + +??? abstract "STRRAT Scheduled Task" + + Detect STRRAT when it achieves persistence by creating a scheduled task. STRRAT is a Java-based stealer and remote backdoor, it establishes persistence using this specific command line: 'cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SAMPLENAME.jar"' + + - **Effort:** intermediate + +??? abstract "Schtasks Persistence With High Privileges" + + Detection of scheduled task with high privileges used by attacker for persistence. + + - **Effort:** elementary + +??? abstract "Schtasks Suspicious Parent" + + Detects schtasks started from suspicious and/or unusual processes. + + - **Effort:** intermediate + +??? abstract "Searchindexer Wrong Parent" + + Detects if the Search Indexer was executed by a non-legitimate parent process. Search Indexer is the Windows service that handles indexing of your files for Windows Search. + + - **Effort:** intermediate + +??? abstract "Searchprotocolhost Child Found" + + SearchProtocolHost.exe is part of the Windows Indexing Service, an application that indexes files from the local drive making them easier to search. This is a crucial part of the Windows operating system. This process should not create a child process or it is very rare. + + - **Effort:** intermediate + +??? abstract "Searchprotocolhost Wrong Parent" + + Detects if the Search Protocol Host process was executed by a non-legitimate parent process. Search Protocol Host is part of the Windows Indexing Service, a service indexing files on the local drive making them easier to search. + + - **Effort:** intermediate + +??? abstract "Security Support Provider (SSP) Added to LSA Configuration" + + Detects the addition of a SSP to the registry. This is commonly used for persistence. Upon a reboot or API call, SSP DLLs gain access to encrypted and plaintext passwords stored in Windows. Logging for Registry events is needed for this rule to work (this can be done through Sysmon EventIDs 12 and 13). + + - **Effort:** elementary + +??? abstract "Smss Wrong Parent" + + Detects if the Smss process was executed by a non-legitimate parent process. Session Manager Subsystem (smss) process is a component of the Microsoft Windows NT family of operating systems. + + - **Effort:** intermediate + +??? abstract "SolarWinds Wrong Child Process" + + Detects SolarWinds process starting an unusual child process. Process solarwinds.businesslayerhost.exe and solarwinds.businesslayerhostx64.exe created an unexepected child process which doesn't correspond to the legitimate ones. + + - **Effort:** intermediate + +??? abstract "Spoolsv Wrong Parent" + + Detects if the Spoolsv process was executed by a non-legitimate parent process. Printer Spooler Service (Spoolsv) process is responsible for managing spooled print/fax jobs. + + - **Effort:** intermediate + +??? abstract "Spyware Persistence Using Schtasks" + + Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring). + + - **Effort:** intermediate + +??? abstract "SquirrelWaffle Malspam Execution Loading DLL" + + Detects cscript running suspicious command to load a DLL. This behavior has been detected in SquirrelWaffle campaign. + + - **Effort:** intermediate + +??? abstract "Sticky Key Like Backdoor Usage" + + Detects the usage and installation of a backdoor that uses an option to register a malicious debugger for built-in tools that are accessible in the login screen. Prerequisites are logging for Registry events, which can be done with Sysmon (events 12 and 13). + + - **Effort:** elementary + +??? abstract "Suncrypt Parameters" + + Detects SunCrypt ransomware's parameters, most of which are unique. + + - **Effort:** elementary + +??? abstract "Suspicious Cmd File Copy Command To Network Share" + + Copy suspicious files through Windows cmd prompt to network share + + - **Effort:** intermediate + +??? abstract "Suspicious Cmd.exe Command Line" + + Detection on suspicious cmd.exe command line seen being used by some attackers (e.g. Lazarus with Word macros). This requires Windows process command line logging. + + - **Effort:** advanced + +??? abstract "Suspicious Commands From MS SQL Server Shell" + + Detection of some shell commmands run from a cmd executed by Microsoft MS SQL Server. It could be a sign of xp_cmdshell allowed on the MS-SQL server. + + - **Effort:** intermediate + +??? abstract "Suspicious Control Process" + + Detects suspicious execution of control.exe process when used to execute a DLL file. + + - **Effort:** advanced + +??? abstract "Suspicious DLL Loading By Ordinal" + + Detects suspicious DLL Loading by ordinal number in a non legitimate or rare folders. For example, Sofacy (APT28) used this technique to load their Trojan in a campaign of 2018. + + - **Effort:** intermediate + +??? abstract "Suspicious DNS Child Process" + + Detects suspicious processes spawned by the dns.exe process. It could be a great indication of the exploitation of the DNS RCE bug reported in CVE-2020-1350 (SIGRED). + + - **Effort:** intermediate + +??? abstract "Suspicious Double Extension" + + Detects suspicious use of an .exe extension after a non-executable file extension like .pdf.exe, a set of spaces or underlines to cloak the executable file in spearphishing campaigns + + - **Effort:** elementary + +??? abstract "Suspicious Driver Loaded" + + Checks the registry key for suspicious driver names that are vulnerable most of the time and loaded in a specific location by the KDU tool from hfiref0x. Some drivers are used by several SysInternals tools, which should have been whitelisted in the filter condition. The driver named "DBUtilDrv2" has been removed as it caused too many false positives unfortunately. It can be added under "drv_name" if more coverage is wanted. This rule needs registry key monitoring (can be done with Sysmon Event IDs 12,13 and 14). + + - **Effort:** intermediate + +??? abstract "Suspicious Finger Usage" + + Detects suspicious aged finger.exe tool execution often used in malware attacks nowadays. An attacker can use finger to silently retrieve a command, a script or a payload from a remote server. For example, the tool Darkfinger-C2 uses this technique to download files from the C2 channel. + + - **Effort:** intermediate + +??? abstract "Suspicious HWP Child Process" + + Detects suspicious Hangul Word Processor (HWP) child process that could indicate an exploitation as used by the Lazarus APT during the Operation Ghost Puppet (2018). This activity could correspond to a maldoc execution related to a .hwp file. Hangul is a proprietary word processing application that supports the Korean written language. + + - **Effort:** elementary + +??? abstract "Suspicious Headless Web Browser Execution To Download File" + + Detects a suspicious command used to execute a Chromium-based web browser (Chrome or Edge) using the headless mode, meaning that the browser window wouldn't be visible, and the dump mode to download a file. This technique can be used to fingerprint the compromised host, in particular by the Ducktail infostealer. + + - **Effort:** elementary + +??? abstract "Suspicious Microsoft Defender Antivirus Exclusion Command" + + Detects PowerShell commands aiming to exclude path, process, IP address, or extension from scheduled and real-time scanning. These commands can be used by attackers or malware to avoid being detected by Windows Defender. Depending on the environment and the installed software, this detection rule could raise false positives. We recommend customizing this rule by filtering legitimate processes that use Windows Defender exclusion command in your environment. + + - **Effort:** master + +??? abstract "Suspicious Mshta Execution" + + Detects suspicious mshta.exe execution patterns, either involving file polyglotism, remote file (http, ftp or ldap) or suspicious location. This technique is often used by threat actors. + + - **Effort:** intermediate + +??? abstract "Suspicious Mshta Execution From Wmi" + + Detects mshta executed by wmiprvse as parent. It has been used by TA505 with some malicious documents. + + - **Effort:** intermediate + +??? abstract "Suspicious Netsh DLL Persistence" + + Detects persitence via netsh helper. Netsh interacts with other operating system components using dynamic-link library (DLL) files. Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. + + - **Effort:** elementary + +??? abstract "Suspicious Network Args In Command Line" + + Detection on some commonly observed suspicious processes command lines using HTTP schema with port 443. + + - **Effort:** intermediate + +??? abstract "Suspicious Outlook Child Process" + + Detects suspicious child processes of Microsoft Outlook. These child processes are often associated with spearphishing activity. + + - **Effort:** intermediate + +??? abstract "Suspicious PowerShell Invocations - Specific" + + Detects suspicious PowerShell invocation command parameters + + - **Effort:** intermediate + +??? abstract "Suspicious PrinterPorts Creation (CVE-2020-1048)" + + Detects new commands that add new printer port which point to suspicious file + + - **Effort:** advanced + +??? abstract "Suspicious Process Requiring DLL Starts Without DLL" + + Detects potential process injection and hollowing on processes that usually require a DLL to be launched, but are launched without any argument. + + - **Effort:** intermediate + +??? abstract "Suspicious Regsvr32 Execution" + + Detects suspicious regsvr32.exe executions, either regsvr32 registering a DLL in an unusual repository (temp/, appdata/ or public/), or regsvr32 executed by an unusual parent process, or regsvr32 executing an unusual process, or regsvr32 registering a media file and not a DLL (as seen in IcedID campaigns), or regsvr32 registering a ocx file in appdata/. + + - **Effort:** intermediate + +??? abstract "Suspicious Rundll32.exe Execution" + + The process rundll32.exe executes a newly dropped DLL with update /i in the command line. This specific technic was observed at least being used by the IcedID loading mechanism dubbed Gziploader. + + - **Effort:** intermediate + +??? abstract "Suspicious Scheduled Task Creation" + + Detects suspicious scheduled task creation, either executed by a non-system user or a user who is not administrator (the user ID is not S-1-5-18 or S-1-5-18-*). This detection rule doesn't match Sysmon EventID 1 because the user SID is always set to S-1-5-18. + + - **Effort:** intermediate + +??? abstract "Suspicious Taskkill Command" + + Detects rare taskkill command being used. It could be related to Baby Shark malware. + + - **Effort:** intermediate + +??? abstract "Suspicious URI Used In A Lazarus Campaign" + + Detects suspicious requests to a specific URI, usually on an .asp page. The website is often compromised. + + - **Effort:** intermediate + +??? abstract "Suspicious VBS Execution Parameter" + + Detects suspicious VBS file execution with a specific parameter by cscript. It was observed in the Operation CloudHopper. + + - **Effort:** elementary + +??? abstract "Suspicious Windows Installer Execution" + + Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server. + + - **Effort:** intermediate + +??? abstract "Suspicious Windows Script Execution" + + Detects wscript.exe or cscript.exe executing a script in user directories (C:\ProgramData or C:\Users) with a .txt extension, which is very suspicious. It could strongly correspond to a malware dropper, as seen during SquirrelWaffle maldoc campaign. + + - **Effort:** intermediate + +??? abstract "Suspicious certutil command" + + Detects suspicious certutil command which can be used by threat actors to download and/or decode payload. + + - **Effort:** intermediate + +??? abstract "Svchost Wrong Parent" + + Detects if the svchost.exe process was executed by a non-legitimate parent process. Svchost (Service Host Process) is a generic host process name for services that run from dynamic-link libraries (DLLs). + + - **Effort:** advanced + +??? abstract "Sysprep On AppData Folder" + + Detects suspicious Sysprep process start with AppData folder as target (as used by Trojan Syndicasec in Thrip report by Symantec). Sysprep is a Windows tool used to change Windows images from a generalized state to a specialized state, and then back to a generalized state. It can be used to remove all system-specific information and reset the computer. + + - **Effort:** intermediate + +??? abstract "System Info Discovery" + + System info discovery, attempt to detects basic command use to fingerprint a host + + - **Effort:** master + +??? abstract "Taskhost Wrong Parent" + + Detects if the Taskhost process was executed by a non-legitimate parent process. Taskhost is the process of the Windows Task Manager which lists the processes that are currently running on the computer system. + + - **Effort:** intermediate + +??? abstract "Taskhost or Taskhostw Suspicious Child Found" + + Task Host manages pop-up windows when users try to close them in a Windows environment. Taskhost.exe triggers the host process for the task. Task Host is a Windows process designed to alert users when dialog boxes close. It is usually launched when restarting and shutting down a PC, and checks if all programs have been properly closed. This process should not create a child process or it is very rare. + + - **Effort:** advanced + +??? abstract "Taskhostw Wrong Parent" + + Detects if the Taskhostw process was executed by a non-legitimate parent process. Taskhostw is a software component of Windows service start manager, it starts DLL-based Windows services when the computer boots up. + + - **Effort:** intermediate + +??? abstract "Trickbot Malware Activity" + + Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe + + - **Effort:** intermediate + +??? abstract "UAC Bypass Using Fodhelper" + + Detects UAC bypass method using Fodhelper after setting the proper registry key, used in particular by Agent Tesla (RAT) or more recently by Earth Luscas. Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13). + + - **Effort:** intermediate + +??? abstract "UAC Bypass Via Sdclt" + + Detects changes to HKCU\Software\Classes\exefile\shell\runas\command\isolatedCommand by an attacker in order to bypass User Account Control (UAC) + + - **Effort:** elementary + +??? abstract "UAC Bypass via Event Viewer" + + Detects UAC bypass method using Windows event viewer. + + - **Effort:** elementary + +??? abstract "Ursnif Registry Key" + + Detects a new registry key created by Ursnif malware. The rule requires to log for Registry Events, which can be done using SYsmon's Event IDs 12,13 and 14. + + - **Effort:** elementary + +??? abstract "Usage Of Procdump With Common Arguments" + + Detects the usage of Procdump sysinternals tool with some common arguments and followed by common patterns. + + - **Effort:** intermediate + +??? abstract "Usage Of Sysinternals Tools" + + Detects the usage of Sysinternals Tools due to accepteula key being added to Registry. The rule detects it either from the command line usage or from the regsitry events. For the later prerequisite is logging for registry events in the Sysmon configuration (events 12 and 13). + + - **Effort:** master + +??? abstract "Userinit Wrong Parent" + + Userinit.exe is a key process in the Windows operating system. On boot-up it manages the different start up sequences needed, such as establishing network connection and starting up the Windows shell. This rule analyse if the parent of this process is a legitimate one or not. + + - **Effort:** intermediate + +??? abstract "WMI Install Of Binary" + + Detection of WMI used to install a binary on the host. It is often used by attackers as a signed binary to infect an host. + + - **Effort:** elementary + +??? abstract "WMI Persistence Script Event Consumer File Write" + + Detects file writes through WMI script event consumer. + + - **Effort:** advanced + +??? abstract "WMIC Command To Determine The Antivirus" + + Detects WMIC command to determine the antivirus on a system, characteristic of the ZLoader malware (and possibly others) + + - **Effort:** intermediate + +??? abstract "WMIC Uninstall Product" + + Detects products being uninstalled using WMIC command. + + - **Effort:** intermediate + +??? abstract "Webshell Execution W3WP Process" + + Detects possible webshell execution on Windows Servers which is usually a w3wp parent process with the user name DefaultAppPool. + + - **Effort:** advanced + +??? abstract "WiFi Credentials Harvesting Using Netsh" + + Detects the harvesting of WiFi credentials using netsh.exe, used in particular by Agent Tesla (RAT) and Turla Mosquito (RAT) + + - **Effort:** elementary + +??? abstract "Windows Credential Editor Registry Key" + + Detects the use of Windows Credential Editor (WCE). Prerequisites are logging for Registry events in the Sysmon configuration (events 12 and 13). + + - **Effort:** elementary + +??? abstract "Windows Firewall Changes" + + Detects changes on Windows Firewall configuration + + - **Effort:** master + +??? abstract "Windows Registry Persistence COM Key Linking" + + Detects COM object hijacking via TreatAs subkey. Logging for Registry events is needed in the Sysmon configuration with this kind of rule `\TreatAs\(Default)`. + + - **Effort:** master + +??? abstract "Windows Update LolBins" + + This rule try to detect a suspicious behavior of wuauclt.exe (windows update client) that could be a lolbins. Wuauctl.exe could be used to execute a malicious program. + + - **Effort:** elementary + +??? abstract "Winlogon wrong parent" + + Winlogon.exe is a process that performs the Windows login management function, handling user login and logout in Windows. You see this process in action whenever the operating system asks you for your username and password. It is also responsible for loading user profiles after login, this supports automated login (when relevant) and keyboard and mouse inactivity monitoring to decide when to invoke the screen saver. This rule analyse if the parent of this process is a legitimate one or not. + + - **Effort:** advanced + +??? abstract "Winword Document Droppers" + + Detects specific process characteristics of word document droppers. This techniques has been used by Maze ransomware operators. + + - **Effort:** elementary + +??? abstract "Winword wrong parent" + + Word is a well known Windows process used to read documents. Some malicious process could use it to run malicious code. The rule tries to detect winword.exe launched with a suspect parent process name. + + - **Effort:** advanced + +??? abstract "Wmic Process Call Creation" + + The WMI command-line (WMIC) utility provides a command-line interface for Windows Management Instrumentation (WMI). WMIC is compatible with existing shells and utility commands. Although WMI is supposed to be an administration tool, it is wildy abused by threat actors. One of the reasons is WMI is quite stealthy. This rule detects the wmic command line launching a process on a remote or local host. + + - **Effort:** intermediate + +??? abstract "Wmic Service Call" + + Detects either remote or local code execution using wmic tool. + + - **Effort:** intermediate + +??? abstract "Wmiprvse Wrong Parent" + + Detects if the Wmiprvse process was executed by a non-legitimate parent process. The wmiprvse.exe process (wmiprvse stands for Microsoft Windows Management Instrumentation) is a generic process for managing clients on Windows. It is initialized the first time a client application connects and allows you to monitor system resources. This requires Windows command line logging. + + - **Effort:** intermediate + +??? abstract "Wsmprovhost Wrong Parent" + + Detects if the Wsmprovhost process was executed by a non-legitimate parent process. The PowerShell host wsmprovhost.exe is a proxy process executed remotely through PowerShell when using Windows Remote Management (WinRM). + + - **Effort:** intermediate + +??? abstract "XCopy Suspicious Usage" + + Detects the usage of xcopy with suspicious command line options (used by Judgment Panda APT in the past). The rule is based on command line only in case xcopy is renamed. + + - **Effort:** advanced + +??? abstract "XSL Script Processing And SquiblyTwo Attack" + + Detection of an attack where adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Another variation of this technique, dubbed "Squiblytwo", involves to invoke JScript or VBScript within an XSL file. + + - **Effort:** intermediate + +??? abstract "xWizard Execution" + + Detects the execution of Xwizard tool with specific arguments which utilized to run custom class properties. + + - **Effort:** master diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md index e7b1e5f399..b3324f6053 100644 --- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md +++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md @@ -1,6 +1,6 @@ # Built-in detection rules, EventIDs and EventProviders relations SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture. -This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-09-05_ +This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-09-15_ The colors of the EventIDs in this page should be interpreted as follow: @@ -12,507 +12,523 @@ The colors of the EventIDs in this page should be interpreted as follow: ## Rules x Effort Level x EventIDs x Event Providers | Rule Name | Effort Level | EventIDs | Event Providers | | --------- | ------------ | -------- | --------------- | -| Usage Of Sysinternals Tools | master | 1, 13 | Microsoft-Windows-Sysmon | | Microsoft 365 (Office 365) MCAS New Country | master | 98 | | -| Svchost DLL Search Order Hijack | master | 7 | Microsoft-Windows-Sysmon | -| SCM Database Privileged Operation | master | 4674 | Microsoft-Windows-Security-Auditing | -| User Account Deleted | master | 4743 | Microsoft-Windows-Security-Auditing | -| Network Share Discovery | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Abusing Azure Browser SSO | master | 7 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Disable Using Registry | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Admin Share Access | master | 5140, 5145 | Microsoft-Windows-Security-Auditing | -| Malware Persistence Registry Key | master | 1, 13 | Microsoft-Windows-Sysmon | | Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 | | -| Microsoft Defender Antivirus History Deleted | master | 1013 | Microsoft-Windows-Windows Defender | -| Process Hollowing Detection | master | 25 | Microsoft-Windows-Sysmon | -| Suspicious Microsoft Defender Antivirus Exclusion Command | master | 1 | Microsoft-Windows-Sysmon | -| WMI DLL Loaded Via Office | master | 7 | Microsoft-Windows-Sysmon | -| Suspicious New Printer Ports In Registry | master | 13 | Microsoft-Windows-Sysmon | -| Account Added To A Security Enabled Group | master | 4728 | Microsoft-Windows-Security-Auditing | -| List Shadow Copies | master | 4104 | Microsoft-Windows-PowerShell | -| Protected Storage Service Access | master | 5145 | Microsoft-Windows-Security-Auditing | -| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | 7, 11 | Microsoft-Windows-Sysmon | -| Execution From Suspicious Folder | master | 1 | Microsoft-Windows-Sysmon | -| Process Herpaderping | master | 25 | Microsoft-Windows-Sysmon | -| Narrator Feedback-Hub Persistence | master | 13 | Microsoft-Windows-Sysmon | -| Potential RDP Connection To Non-Domain Host | master | 8001 | Microsoft-Windows-NTLM | -| PowerShell Malicious PowerShell Commandlets | master | 4104 | Microsoft-Windows-PowerShell | -| AD Privileged Users Or Groups Reconnaissance | master | 4661 | Microsoft-Windows-Security-Auditing | +| SCM Database Handle Failure | master | 4656 | Microsoft-Windows-Security-Auditing | | Advanced IP Scanner | master | 1 | Microsoft-Windows-Sysmon | -| In-memory PowerShell | master | 7 | Microsoft-Windows-Sysmon | -| DNS ServerLevelPluginDll Installation | master | 1, 13 | Microsoft-Windows-Sysmon | +| Rubeus Register New Logon Process | master | 4611 | Microsoft-Windows-Security-Auditing | +| Admin User RDP Remote Logon | master | 4624 | Microsoft-Windows-Security-Auditing | +| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | 4673 | Microsoft-Windows-Security-Auditing | +| AD Privileged Users Or Groups Reconnaissance | master | 4661 | Microsoft-Windows-Security-Auditing | | Microsoft Defender Antivirus Configuration Changed | master | 5007 | Microsoft-Windows-Windows Defender | | Registry Checked For Lanmanserver DisableCompression Parameter | master | 4663 | Microsoft-Windows-Security-Auditing | -| Failed Logon Source From Public IP Addresses | master | 4625 | Microsoft-Windows-Security-Auditing | -| Netsh Port Opening | master | 1 | Microsoft-Windows-Sysmon | -| Windows Registry Persistence COM Key Linking | master | 1, 13 | Microsoft-Windows-Sysmon | -| AD User Enumeration | master | 4662 | Microsoft-Windows-Security-Auditing | -| Windows Firewall Changes | master | 1 | Microsoft-Windows-Sysmon | -| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service | -| WMIC Loading Scripting Libraries | master | 7 | Microsoft-Windows-Sysmon | -| Microsoft Office Creating Suspicious File | master | 11 | Microsoft-Windows-Sysmon | -| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | 4673 | Microsoft-Windows-Security-Auditing | -| Data Compressed With Rar | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Suspicious PsExec Execution | master | 5145 | Microsoft-Windows-Security-Auditing | -| Suspicious Access To Sensitive File Extensions | master | 5145 | Microsoft-Windows-Security-Auditing | -| Putty Sessions Listing | master | 1, 4656, 4663 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon | -| Stop Backup Services | master | 1, 13 | Microsoft-Windows-Sysmon | -| Disable Security Events Logging Adding Reg Key MiniNt | master | 13 | Microsoft-Windows-Sysmon | -| xWizard Execution | master | 1 | Kernel-Process | -| Admin User RDP Remote Logon | master | 4624 | Microsoft-Windows-Security-Auditing | -| FoggyWeb Backdoor DLL Loading | master | 7 | Microsoft-Windows-Sysmon | -| Sysmon Windows File Block Executable | master | 27 | Microsoft-Windows-Sysmon | +| Privileged AD Builtin Group Modified | master | 4727, 4728, 4729, 4730, 4754, 4756, 4757, 4758, 4764 | Microsoft-Windows-Security-Auditing | +| PowerShell Malicious PowerShell Commandlets | master | 4104 | Microsoft-Windows-PowerShell | +| Remote Registry Management Using Reg Utility | master | 5145 | Microsoft-Windows-Security-Auditing | +| Execution From Suspicious Folder | master | 1 | Microsoft-Windows-Sysmon | | Microsoft Defender Antivirus Exclusion Configuration | master | 13, 5007 | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender | -| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | 3 | Microsoft-Windows-Sysmon | -| Windows Defender Deactivation Using PowerShell Script | master | 4104 | Microsoft-Windows-PowerShell | -| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 | | -| Microsoft 365 Device Code Authentication | master | 15 | | -| Cobalt Strike Named Pipes | master | 17 | Microsoft-Windows-Sysmon | -| SCM Database Handle Failure | master | 4656 | Microsoft-Windows-Security-Auditing | +| Disable Security Events Logging Adding Reg Key MiniNt | master | 13 | Microsoft-Windows-Sysmon | +| File Or Folder Permissions Modifications | master | 1 | Microsoft-Windows-Sysmon | +| Suspicious PsExec Execution | master | 5145 | Microsoft-Windows-Security-Auditing | | Autorun Keys Modification | master | 12 | Microsoft-Windows-Sysmon | -| Remote Registry Management Using Reg Utility | master | 5145 | Microsoft-Windows-Security-Auditing | -| Webshell Creation | master | 11, 4656, 4663 | Microsoft-Windows-Sysmon | +| User Account Deleted | master | 4743 | Microsoft-Windows-Security-Auditing | +| Credential Dumping-Tools Common Named Pipes | master | 17 | Microsoft-Windows-Sysmon | +| Windows Defender Deactivation Using PowerShell Script | master | 4104 | Microsoft-Windows-PowerShell | +| Account Added To A Security Enabled Group | master | 4728 | Microsoft-Windows-Security-Auditing | +| CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | 3 | Microsoft-Windows-Sysmon | | LSASS Memory Dump | master | 10 | Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 | | | TOR Usage Generic Rule | master | 3 | Microsoft-Windows-Sysmon | -| File Or Folder Permissions Modifications | master | 1 | Microsoft-Windows-Sysmon | -| Rubeus Register New Logon Process | master | 4611 | Microsoft-Windows-Security-Auditing | -| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 | | -| LSASS Access From Non System Account | master | 4656, 4663 | Microsoft-Windows-Security-Auditing | -| Credential Dumping-Tools Common Named Pipes | master | 17 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Disable Using Registry | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Net.exe User Account Creation | master | 1 | Microsoft-Windows-Sysmon | +| Potential RDP Connection To Non-Domain Host | master | 8001 | Microsoft-Windows-NTLM | +| Usage Of Sysinternals Tools | master | 1, 13 | Microsoft-Windows-Sysmon | +| In-memory PowerShell | master | 7 | Microsoft-Windows-Sysmon | +| Abusing Azure Browser SSO | master | 7 | Microsoft-Windows-Sysmon | | Suspicious DLL Loaded Via Office Applications | master | 7 | Microsoft-Windows-Sysmon | -| FromBase64String Command Line | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Suspicious Access To Sensitive File Extensions | master | 5145 | Microsoft-Windows-Security-Auditing | +| Malware Persistence Registry Key | master | 1, 13 | Microsoft-Windows-Sysmon | | Account Removed From A Security Enabled Group | master | 4729 | Microsoft-Windows-Security-Auditing | -| Net.exe User Account Creation | master | 1 | Microsoft-Windows-Sysmon | -| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | 13 | Microsoft-Windows-Sysmon | -| Privileged AD Builtin Group Modified | master | 4727, 4728, 4729, 4730, 4754, 4756, 4757, 4758, 4764 | Microsoft-Windows-Security-Auditing | -| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 | | +| Narrator Feedback-Hub Persistence | master | 13 | Microsoft-Windows-Sysmon | +| Windows Registry Persistence COM Key Linking | master | 1, 13 | Microsoft-Windows-Sysmon | +| FoggyWeb Backdoor DLL Loading | master | 7 | Microsoft-Windows-Sysmon | +| SCM Database Privileged Operation | master | 4674 | Microsoft-Windows-Security-Auditing | +| Cobalt Strike Named Pipes | master | 17 | Microsoft-Windows-Sysmon | +| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service | | User Account Created | master | 4720 | Microsoft-Windows-Security-Auditing | +| List Shadow Copies | master | 4104 | Microsoft-Windows-PowerShell | +| LSASS Access From Non System Account | master | 4656, 4663 | Microsoft-Windows-Security-Auditing | +| Failed Logon Source From Public IP Addresses | master | 4625 | Microsoft-Windows-Security-Auditing | +| Microsoft 365 Device Code Authentication | master | 15 | | +| Process Herpaderping | master | 25 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus History Deleted | master | 1013 | Microsoft-Windows-Windows Defender | +| Svchost DLL Search Order Hijack | master | 7 | Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 | | +| WMIC Loading Scripting Libraries | master | 7 | Microsoft-Windows-Sysmon | +| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | 7, 11 | Microsoft-Windows-Sysmon | +| Sysmon Windows File Block Executable | master | 27 | Microsoft-Windows-Sysmon | +| Suspicious Microsoft Defender Antivirus Exclusion Command | master | 1 | Microsoft-Windows-Sysmon | +| Suspicious New Printer Ports In Registry | master | 13 | Microsoft-Windows-Sysmon | +| FromBase64String Command Line | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Admin Share Access | master | 5140, 5145 | Microsoft-Windows-Security-Auditing | +| Network Share Discovery | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | | Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 | | -| Telegram Bot API Request | advanced | 22 | Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 | | +| DNS ServerLevelPluginDll Installation | master | 1, 13 | Microsoft-Windows-Sysmon | +| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | 13 | Microsoft-Windows-Sysmon | +| Windows Firewall Changes | master | 1 | Microsoft-Windows-Sysmon | +| Webshell Creation | master | 11, 4656, 4663 | Microsoft-Windows-Sysmon | +| Stop Backup Services | master | 1, 13 | Microsoft-Windows-Sysmon | +| Microsoft Office Creating Suspicious File | master | 11 | Microsoft-Windows-Sysmon | +| Netsh Port Opening | master | 1 | Microsoft-Windows-Sysmon | +| xWizard Execution | master | 1 | Kernel-Process | +| AD User Enumeration | master | 4662 | Microsoft-Windows-Security-Auditing | +| Process Hollowing Detection | master | 25 | Microsoft-Windows-Sysmon | +| WMI DLL Loaded Via Office | master | 7 | Microsoft-Windows-Sysmon | +| Protected Storage Service Access | master | 5145 | Microsoft-Windows-Security-Auditing | +| Putty Sessions Listing | master | 1, 4656, 4663 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon | +| SAM Registry Hive Handle Request | advanced | 4656 | Microsoft-Windows-Security-Auditing | | Alternate PowerShell Hosts Pipe | advanced | 17 | Microsoft-Windows-Sysmon | -| Legitimate Process Execution From Unusual Folder | advanced | 1, 5, 4688 | Microsoft-Windows-Sysmon | -| Account Tampering - Suspicious Failed Logon Reasons | advanced | 4625, 4776 | Microsoft-Windows-Security-Auditing | -| Suspicious Control Process | advanced | 1 | Microsoft-Windows-Sysmon | -| Winword wrong parent | advanced | 4688 | Microsoft-Windows-Security-Auditing | -| RDP Session Discovery | advanced | 1 | Microsoft-Windows-Sysmon | -| Rubeus Tool Command-line | advanced | 1 | Microsoft-Windows-Sysmon | -| Change Default File Association | advanced | 1 | Microsoft-Windows-Sysmon | +| Remote Service Activity Via SVCCTL Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | +| RDP Sensitive Settings Changed | advanced | 13 | Microsoft-Windows-Sysmon | +| Powershell Web Request | advanced | 1 | Microsoft-Windows-Sysmon | +| New Service Creation | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Taskhost or Taskhostw Suspicious Child Found | advanced | 1 | Microsoft-Windows-Sysmon | | Hiding Files With Attrib.exe | advanced | 1 | Microsoft-Windows-Sysmon | | Netsh Allow Command | advanced | 1 | Microsoft-Windows-Sysmon | +| Windows Registry Persistence COM Search Order Hijacking | advanced | 13 | Microsoft-Windows-Sysmon | | PowerShell - NTFS Alternate Data Stream | advanced | 4104 | Microsoft-Windows-PowerShell | -| WMI Event Subscription | advanced | 19, 20, 21 | Microsoft-Windows-Sysmon | -| Cmd.exe Used To Run Reconnaissance Commands | advanced | 1 | Microsoft-Windows-Sysmon | -| Suspicious Cmd.exe Command Line | advanced | 1 | Microsoft-Windows-Sysmon | -| Csrss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Suspicious Outbound Kerberos Connection | advanced | 5156 | Microsoft-Windows-Security-Auditing | -| Lateral Movement - Remote Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | -| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | advanced | 64 | | -| Malicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell | -| Unsigned Image Loaded Into LSASS Process | advanced | 7 | Microsoft-Windows-Sysmon | +| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | 11 | Microsoft-Windows-Sysmon | +| PowerView commandlets 2 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Powershell AMSI Bypass | advanced | 4104 | Microsoft-Windows-PowerShell | +| Change Default File Association | advanced | 1 | Microsoft-Windows-Sysmon | +| Telegram Bot API Request | advanced | 22 | Microsoft-Windows-Sysmon | | Dynwrapx Module Loading | advanced | 7 | Microsoft-Windows-Sysmon | -| Webshell Execution W3WP Process | advanced | 1 | Microsoft-Windows-Sysmon | -| PowerShell Malicious Nishang PowerShell Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell | -| Python Opening Ports | advanced | 5154 | Microsoft-Windows-Security-Auditing | -| Suspicious PROCEXP152.sys File Created In Tmp | advanced | 11 | Microsoft-Windows-Sysmon | +| NTDS.dit File In Suspicious Directory | advanced | 11 | Microsoft-Windows-Sysmon | | External Disk Drive Or USB Storage Device | advanced | 6416 | Microsoft-Windows-Security-Auditing | -| PowerShell EncodedCommand | advanced | 1 | Microsoft-Windows-Sysmon | -| Winlogon wrong parent | advanced | 1 | Microsoft-Windows-Sysmon | | Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | 10 | Microsoft-Windows-Sysmon | -| New Service Creation | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| WMI Event Subscription | advanced | 19, 20, 21 | Microsoft-Windows-Sysmon | +| Microsoft Office Product Spawning Windows Shell | advanced | 1 | Microsoft-Windows-Sysmon | +| Control Panel Items | advanced | 1 | Microsoft-Windows-Sysmon | +| Suspicious Outbound Kerberos Connection | advanced | 5156 | Microsoft-Windows-Security-Auditing | | WMI Persistence Script Event Consumer File Write | advanced | 11 | Microsoft-Windows-Sysmon | -| Adexplorer Usage | advanced | 1 | Microsoft-Windows-Sysmon | | Suspicious XOR Encoded PowerShell Command Line | advanced | 4104 | Microsoft-Windows-PowerShell | -| Rclone Process | advanced | 1 | Microsoft-Windows-Sysmon | -| PowerView commandlets 1 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Suspicious Windows DNS Queries | advanced | 22 | Microsoft-Windows-Sysmon | -| Active Directory Replication from Non Machine Account | advanced | 4662 | Microsoft-Windows-Security-Auditing | +| Adexplorer Usage | advanced | 1 | Microsoft-Windows-Sysmon | +| Suspicious Cmd.exe Command Line | advanced | 1 | Microsoft-Windows-Sysmon | +| Account Tampering - Suspicious Failed Logon Reasons | advanced | 4625, 4776 | Microsoft-Windows-Security-Auditing | +| PowerShell Malicious Nishang PowerShell Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell | +| Disabled IE Security Features | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Suspicious PROCEXP152.sys File Created In Tmp | advanced | 11 | Microsoft-Windows-Sysmon | +| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | 7 | Microsoft-Windows-Sysmon | | Svchost Wrong Parent | advanced | 4688 | Microsoft-Windows-Security-Auditing | | Active Directory Replication User Backdoor | advanced | 5136 | Microsoft-Windows-Security-Auditing | -| Suspicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell | -| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | 11 | Microsoft-Windows-Sysmon | -| Control Panel Items | advanced | 1 | Microsoft-Windows-Sysmon | -| Logon Scripts (UserInitMprLogonScript) | advanced | 1, 13 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Tampering Detected | advanced | 1127, 2013, 5001, 5010, 5012, 5101 | Microsoft-Windows-Windows Defender | +| Exfiltration And Tunneling Tools Execution | advanced | 1 | Microsoft-Windows-Sysmon | +| Winlogon wrong parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Legitimate Process Execution From Unusual Folder | advanced | 1, 5, 4688 | Microsoft-Windows-Sysmon | +| Suspicious Windows DNS Queries | advanced | 22 | Microsoft-Windows-Sysmon | +| PowerShell EncodedCommand | advanced | 1 | Microsoft-Windows-Sysmon | +| Rubeus Tool Command-line | advanced | 1 | Microsoft-Windows-Sysmon | | PowerShell Data Compressed | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Disabled IE Security Features | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| NTDS.dit File In Suspicious Directory | advanced | 11 | Microsoft-Windows-Sysmon | -| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | 1 | Microsoft-Windows-Sysmon | -| RDP Sensitive Settings Changed | advanced | 13 | Microsoft-Windows-Sysmon | | AccCheckConsole Executing Dll | advanced | 5 | Kernel-Process | -| Domain Trust Created Or Removed | advanced | 4706, 4707 | Microsoft-Windows-Security-Auditing | -| PsExec Process | advanced | 13, 7045 | Microsoft-Windows-Sysmon, Service Control Manager | -| Mimikatz LSASS Memory Access | advanced | 10 | Microsoft-Windows-Sysmon | -| PowerView commandlets 2 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | 7 | Microsoft-Windows-Sysmon | -| XCopy Suspicious Usage | advanced | 1 | Microsoft-Windows-Sysmon | | CreateRemoteThread Common Process Injection | advanced | 8 | Microsoft-Windows-Sysmon | -| Default Encoding To UTF-8 PowerShell | advanced | 1 | Microsoft-Windows-Sysmon | -| Powershell AMSI Bypass | advanced | 4104 | Microsoft-Windows-PowerShell | -| Microsoft Office Product Spawning Windows Shell | advanced | 1 | Microsoft-Windows-Sysmon | -| Taskhost or Taskhostw Suspicious Child Found | advanced | 1 | Microsoft-Windows-Sysmon | -| Remote Service Activity Via SVCCTL Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | -| Domain Group And Permission Enumeration | advanced | 1 | Microsoft-Windows-Sysmon | +| Rclone Process | advanced | 1 | Microsoft-Windows-Sysmon | +| Lateral Movement - Remote Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | +| Suspicious Control Process | advanced | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Tampering Detected | advanced | 1127, 2013, 5001, 5010, 5012, 5101 | Microsoft-Windows-Windows Defender | | Rare Logonui Child Found | advanced | 1 | Microsoft-Windows-Sysmon | -| Exfiltration And Tunneling Tools Execution | advanced | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | advanced | 64 | | +| Active Directory Replication from Non Machine Account | advanced | 4662 | Microsoft-Windows-Security-Auditing | +| Webshell Execution W3WP Process | advanced | 1 | Microsoft-Windows-Sysmon | +| Winword wrong parent | advanced | 4688 | Microsoft-Windows-Security-Auditing | +| PowerView commandlets 1 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Unsigned Image Loaded Into LSASS Process | advanced | 7 | Microsoft-Windows-Sysmon | +| Domain Group And Permission Enumeration | advanced | 1 | Microsoft-Windows-Sysmon | +| PsExec Process | advanced | 13, 7045 | Microsoft-Windows-Sysmon, Service Control Manager | | Metasploit PSExec Service Creation | advanced | 7045 | Service Control Manager | +| Cmd.exe Used To Run Reconnaissance Commands | advanced | 1 | Microsoft-Windows-Sysmon | +| Logon Scripts (UserInitMprLogonScript) | advanced | 1, 13 | Microsoft-Windows-Sysmon | +| Default Encoding To UTF-8 PowerShell | advanced | 1 | Microsoft-Windows-Sysmon | +| Python Opening Ports | advanced | 5154 | Microsoft-Windows-Security-Auditing | +| Domain Trust Created Or Removed | advanced | 4706, 4707 | Microsoft-Windows-Security-Auditing | +| Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | 1 | Microsoft-Windows-Sysmon | +| XCopy Suspicious Usage | advanced | 1 | Microsoft-Windows-Sysmon | +| AutoIt3 Execution From Suspicious Folder | advanced | 5 | Kernel-Process | +| RDP Session Discovery | advanced | 1 | Microsoft-Windows-Sysmon | +| Mimikatz LSASS Memory Access | advanced | 10 | Microsoft-Windows-Sysmon | +| Suspicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell | | PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | 4104 | Microsoft-Windows-PowerShell | -| Powershell Web Request | advanced | 1 | Microsoft-Windows-Sysmon | -| SAM Registry Hive Handle Request | advanced | 4656 | Microsoft-Windows-Security-Auditing | +| Csrss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | | Suspicious desktop.ini Action | advanced | 15 | Microsoft-Windows-Sysmon | -| Windows Registry Persistence COM Search Order Hijacking | advanced | 13 | Microsoft-Windows-Sysmon | +| Malicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell | | Remote Privileged Group Enumeration | advanced | 4799 | | -| PowerShell Execution Via Rundll32 | intermediate | 1 | Microsoft-Windows-Sysmon | -| IIS Module Installation Using AppCmd | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Desktopimgdownldr Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Restoration Abuse | intermediate | 1 | Microsoft-Windows-Sysmon | -| MavInject Process Injection | intermediate | 1 | Microsoft-Windows-Sysmon | -| Audio Capture via PowerShell | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| BazarLoader Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | -| Lsass Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error | -| Microsoft Defender Antivirus Disable Services | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| MalwareBytes Uninstallation | intermediate | 1 | Microsoft-Windows-Sysmon | -| Usage Of Procdump With Common Arguments | intermediate | 13 | Microsoft-Windows-Sysmon | -| Suspicious Windows Script Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| WMIC Command To Determine The Antivirus | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Suspicious Mshta Execution From Wmi | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Mshta Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Remote Enumeration of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing | -| Wmic Service Call | intermediate | 1 | Microsoft-Windows-Sysmon | -| Capture a network trace with netsh.exe | intermediate | 1 | Microsoft-Windows-Sysmon | -| SolarWinds Wrong Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious PowerShell Invocations - Specific | intermediate | 1 | Microsoft-Windows-Sysmon | -| Phosphorus Domain Controller Discovery | intermediate | 4104 | Microsoft-Windows-PowerShell | -| User Added to Local Administrators | intermediate | 4732 | Microsoft-Windows-Security-Auditing | +| Transfering Files With Credential Data Via Network Shares | intermediate | 5145 | Microsoft-Windows-Security-Auditing | | Copy Of Legitimate System32 Executable | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Network Sniffing Windows | intermediate | 1, 5 | Microsoft-Windows-Sysmon | -| SOCKS Tunneling Tool | intermediate | 1 | Microsoft-Windows-Sysmon | -| Impacket Secretsdump.py Tool | intermediate | 5145 | Microsoft-Windows-Security-Auditing | -| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1033, 1034 | Microsoft-Windows-DHCP-Server | -| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | 4794 | Microsoft-Windows-Security-Auditing | -| PowerShell Download From URL | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Formbook File Creation DB1 | intermediate | 11 | Microsoft-Windows-Sysmon | -| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File | -| Exchange Server Creating Unusual Files | intermediate | 11 | Microsoft-Windows-Sysmon | -| Suspicious SAM Dump | intermediate | 16 | Microsoft-Windows-Kernel-General | -| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | 1 | Microsoft-Windows-Sysmon | -| SolarWinds Suspicious File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | | Exchange Server Spawning Suspicious Processes | intermediate | 1 | Microsoft-Windows-Sysmon | -| Powershell Winlogon Helper DLL | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Suspicious Hostname | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| Suspicious DLL side loading from ProgramData | intermediate | 7 | Microsoft-Windows-Sysmon | +| RDP Port Change Using Powershell | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| HackTools Suspicious Process Names In Command Line | intermediate | 1, 5 | Microsoft-Windows-Sysmon | +| Csrss Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | +| Successful Overpass The Hash Attempt | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| MS Office Product Spawning Exe in User Dir | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Commands From MS SQL Server Shell | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Restoration Abuse | intermediate | 1 | Microsoft-Windows-Sysmon | +| Creation or Modification of a GPO Scheduled Task | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| PowerShell Execution Via Rundll32 | intermediate | 1 | Microsoft-Windows-Sysmon | +| Wininit Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Remote Task Creation Via ATSVC Named Pipe | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| Possible RottenPotato Attack | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| Exfiltration Domain In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | +| Data Compressed With Rar With Password | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Finger Usage | intermediate | 1 | Microsoft-Windows-Sysmon | +| Winrshost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | | Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | 1, 13 | Microsoft-Windows-Sysmon | -| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing | -| DNS Exfiltration and Tunneling Tools Execution | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Registry Key Used By Some Old Agent Tesla Samples | intermediate | 13 | Microsoft-Windows-Sysmon | -| Ryuk Ransomware Persistence Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Spoolsv Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| DC Shadow via Service Principal Name (SPN) creation | intermediate | 4742, 5136 | Microsoft-Windows-Security-Auditing | -| Taskhost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | 6 | | +| Exchange Server Creating Unusual Files | intermediate | 11 | Microsoft-Windows-Sysmon | | Cred Dump Tools Dropped Files | intermediate | 11 | Microsoft-Windows-Sysmon | -| Userinit Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Pandemic Windows Implant | intermediate | 1, 13 | Microsoft-Windows-Sysmon | -| Netsh Program Allowed With Suspicious Location | intermediate | 1 | Microsoft-Windows-Sysmon | -| Qakbot Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | -| Data Compressed With Rar With Password | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Finger Usage | intermediate | 1 | Microsoft-Windows-Sysmon | -| Commonly Used Commands To Stop Services And Remove Backups | intermediate | 1 | Microsoft-Windows-Sysmon | -| Secure Deletion With SDelete | intermediate | 4656, 4658, 4663 | Microsoft-Windows-Security-Auditing | -| MOFComp Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Creation or Modification of a GPO Scheduled Task | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| Inhibit System Recovery Deleting Backups | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Powershell Winlogon Helper DLL | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | | Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | 6 | | -| Sliver DNS Beaconing | intermediate | 22 | Microsoft-Windows-Sysmon | -| Formbook Hijacked Process Command | intermediate | 1 | Microsoft-Windows-Sysmon | -| Powershell UploadString Function | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Windows Installer Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Wmiprvse Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | 1 | | +| Taskhost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| COM Hijack Via Sdclt | intermediate | 1 | Microsoft-Windows-Sysmon | +| IIS Module Installation Using AppCmd | intermediate | 1 | Microsoft-Windows-Sysmon | +| MavInject Process Injection | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Desktopimgdownldr Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| QakBot Process Creation | intermediate | 1 | Microsoft-Windows-Sysmon | +| OneNote Embedded File | intermediate | 11, 15 | Microsoft-Windows-Sysmon | +| Phosphorus Domain Controller Discovery | intermediate | 4104 | Microsoft-Windows-PowerShell | +| Capture a network trace with netsh.exe | intermediate | 1 | Microsoft-Windows-Sysmon | +| KeePass Config XML In Command-Line | intermediate | 1 | Microsoft-Windows-Sysmon | +| Impacket Secretsdump.py Tool | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| Gpscript Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Searchprotocolhost Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | | New DLL Added To AppCertDlls Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon | -| Successful Overpass The Hash Attempt | intermediate | 4624 | Microsoft-Windows-Security-Auditing | -| Suspicious Taskkill Command | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious DLL Loading By Ordinal | intermediate | 1 | Microsoft-Windows-Sysmon | -| LSASS Memory Dump File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | -| CertOC Loading Dll | intermediate | 1 | Kernel-Process | +| Cmdkey Cached Credentials Recon | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Process Requiring DLL Starts Without DLL | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Outlook Child Process | intermediate | 4688 | Microsoft-Windows-Security-Auditing | +| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| NetNTLM Downgrade Attack | intermediate | 13, 4657 | Microsoft-Windows-Sysmon | | GPO Executable Delivery | intermediate | 5136 | Microsoft-Windows-Security-Auditing | -| Searchprotocolhost Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | -| Non-Legitimate Executable Using AcceptEula Parameter | intermediate | 3, 5 | Kernel-Process, Microsoft-Windows-Kernel-Process | -| Network Connection Via Certutil | intermediate | 3 | Microsoft-Windows-Sysmon | -| Rare Lsass Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | -| Explorer Process Executing HTA File | intermediate | 1 | Microsoft-Windows-Sysmon | -| Possible RottenPotato Attack | intermediate | 4624 | Microsoft-Windows-Security-Auditing | -| Venom Multi-hop Proxy agent detection | intermediate | 1 | Kernel-Process | -| MMC Spawning Windows Shell | intermediate | 1 | Microsoft-Windows-Sysmon | -| Remote Task Creation Via ATSVC Named Pipe | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| Suspicious Scripting In A WMI Consumer | intermediate | 20 | Microsoft-Windows-Sysmon | +| Powershell UploadString Function | intermediate | 1 | Microsoft-Windows-Sysmon | +| Qakbot Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | +| Clear EventLogs Through CommandLine | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | 1 | | +| Registry Key Used By Some Old Agent Tesla Samples | intermediate | 13 | Microsoft-Windows-Sysmon | | Suspicious Driver Loaded | intermediate | 13 | Microsoft-Windows-Sysmon | -| Suspicious PowerShell Invocations - Generic | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspect Svchost Memory Access | intermediate | 10 | Microsoft-Windows-Sysmon | -| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File | -| Eventlog Cleared | intermediate | 517, 1102 | Microsoft-Windows-Eventlog | -| Wsmprovhost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Wininit Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Lsass Access Through WinRM | intermediate | 10 | Microsoft-Windows-Sysmon | +| Password Dumper Activity On LSASS | intermediate | 4656 | Microsoft-Windows-Security-Auditing | +| Formbook Hijacked Process Command | intermediate | 1 | Microsoft-Windows-Sysmon | | Suspicious Rundll32.exe Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Scheduled Task Creation | intermediate | 4688 | Microsoft-Windows-Security-Auditing | -| Active Directory Delegate To KRBTGT Service | intermediate | 4738 | Microsoft-Windows-Security-Auditing | -| RDP Port Change Using Powershell | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| DHCP Callout DLL Installation | intermediate | 13 | Microsoft-Windows-Sysmon | -| Schtasks Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft Office Spawning Script | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Threat Detected | intermediate | 1006, 1007, 1008, 1015, 1116, 1117, 1118, 1119, 1125, 1126 | Microsoft-Windows-Windows Defender | -| Transfering Files With Credential Data Via Network Shares | intermediate | 5145 | Microsoft-Windows-Security-Auditing | -| DCSync Attack | intermediate | 4662 | Microsoft-Windows-Security-Auditing | -| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | 4720 | Microsoft-Windows-Security-Auditing | +| Remote Enumeration of Lateral Movement Groups | intermediate | 4799 | Microsoft-Windows-Security-Auditing | +| Ryuk Ransomware Persistence Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon | +| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File | +| Suspicious LDAP-Attributes Used | intermediate | 5136 | Microsoft-Windows-Security-Auditing | +| ETW Tampering | intermediate | 1 | Microsoft-Windows-Sysmon | +| Secure Deletion With SDelete | intermediate | 4656, 4658, 4663 | Microsoft-Windows-Security-Auditing | | Grabbing Sensitive Hives Via Reg Utility | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft Office Spawning Script | intermediate | 1 | Microsoft-Windows-Sysmon | | NjRat Registry Changes | intermediate | 1, 12, 13 | Microsoft-Windows-Sysmon | -| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 | | -| Credential Dumping Tools Service Execution | intermediate | 7045 | Service Control Manager | -| Active Directory User Backdoors | intermediate | 4662, 5136 | Microsoft-Windows-Security-Auditing | -| COM Hijack Via Sdclt | intermediate | 1 | Microsoft-Windows-Sysmon | -| StoneDrill Service Install | intermediate | 7045 | Service Control Manager | -| Possible Replay Attack | intermediate | 4649 | Microsoft-Windows-Security-Auditing | -| Bloodhound and Sharphound Tools Usage | intermediate | 1 | Microsoft-Windows-Sysmon | -| Clear EventLogs Through CommandLine | intermediate | 1 | Microsoft-Windows-Sysmon | -| Sysprep On AppData Folder | intermediate | 1 | Microsoft-Windows-Sysmon | +| Disable Windows Defender Credential Guard | intermediate | 13 | Microsoft-Windows-Sysmon | +| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup | | Hijack Legit RDP Session To Move Laterally | intermediate | 11 | Microsoft-Windows-Sysmon | -| CMSTP UAC Bypass via COM Object Access | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Commands From MS SQL Server Shell | intermediate | 1 | Microsoft-Windows-Sysmon | -| OneNote Embedded File | intermediate | 11, 15 | Microsoft-Windows-Sysmon | -| Password Dumper Activity On LSASS | intermediate | 4656 | Microsoft-Windows-Security-Auditing | -| DPAPI Domain Backup Key Extraction | intermediate | 4662 | Microsoft-Windows-Security-Auditing | -| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | 1 | Microsoft-Windows-Sysmon | -| NTDS.dit File Interaction Through Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | -| Koadic Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Cmdkey Cached Credentials Recon | intermediate | 1 | Microsoft-Windows-Sysmon | -| DLL Load via LSASS Registry Key | intermediate | 12, 13 | Microsoft-Windows-Sysmon | +| Spoolsv Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| TUN/TAP Driver Installation | intermediate | 4697, 7045 | Service Control Manager | +| Network Connection Via Certutil | intermediate | 3 | Microsoft-Windows-Sysmon | +| SolarWinds Wrong Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | | SquirrelWaffle Malspam Execution Loading DLL | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Netsh RDP Port Opening | intermediate | 1 | Microsoft-Windows-Sysmon | -| Gpscript Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Inhibit System Recovery Deleting Backups | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Exfiltration Domain In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | -| Mshta Suspicious Child Process | intermediate | 1, 5 | Kernel-Process | -| MS Office Product Spawning Exe in User Dir | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | 1 | | -| OceanLotus Registry Activity | intermediate | 13 | Microsoft-Windows-Sysmon | -| Spyware Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | -| Werfault DLL Injection | intermediate | 7 | Microsoft-Windows-Sysmon | -| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup | -| Suspicious Network Args In Command Line | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon | -| Suspicious DNS Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | -| Searchindexer Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious LDAP-Attributes Used | intermediate | 5136 | Microsoft-Windows-Security-Auditing | +| Suspicious Hostname | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1034 | Microsoft-Windows-DHCP-Server | +| Suspicious Taskkill Command | intermediate | 1 | Microsoft-Windows-Sysmon | +| High Privileges Network Share Removal | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Scheduled Task Creation | intermediate | 4688 | Microsoft-Windows-Security-Auditing | +| Taskhostw Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Python HTTP Server | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File | +| Sysprep On AppData Folder | intermediate | 1 | Microsoft-Windows-Sysmon | +| BazarLoader Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Mshta Execution From Wmi | intermediate | 1 | Microsoft-Windows-Sysmon | +| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | 4794 | Microsoft-Windows-Security-Auditing | | Netsh Allowed Python Program | intermediate | 1 | Microsoft-Windows-Sysmon | -| STRRAT Scheduled Task | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Scripting In A WMI Consumer | intermediate | 20 | Microsoft-Windows-Sysmon | -| QakBot Process Creation | intermediate | 1 | Microsoft-Windows-Sysmon | -| XSL Script Processing And SquiblyTwo Attack | intermediate | 1 | Microsoft-Windows-Sysmon | -| Malicious Named Pipe | intermediate | 17 | Microsoft-Windows-Sysmon | -| UAC Bypass Using Fodhelper | intermediate | 13 | Microsoft-Windows-Sysmon | -| Disable Windows Defender Credential Guard | intermediate | 13 | Microsoft-Windows-Sysmon | -| Suspicious Outlook Child Process | intermediate | 4688 | Microsoft-Windows-Security-Auditing | -| NlTest Usage | intermediate | 1 | Microsoft-Windows-Sysmon | -| Csrss Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious DLL side loading from ProgramData | intermediate | 7 | Microsoft-Windows-Sysmon | -| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | intermediate | 64 | | -| Chafer (APT 39) Activity | intermediate | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager | -| Detection of default Mimikatz banner | intermediate | 4103 | Microsoft-Windows-PowerShell | -| WMIC Uninstall Product | intermediate | 1 | Microsoft-Windows-Sysmon | +| Userinit Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Logonui Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | | Exchange Mailbox Export | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| ETW Tampering | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | 6 | | +| Usage Of Procdump With Common Arguments | intermediate | 13 | Microsoft-Windows-Sysmon | +| Wmic Process Call Creation | intermediate | 1 | Microsoft-Windows-Sysmon | +| Wmic Service Call | intermediate | 1 | Microsoft-Windows-Sysmon | +| CMSTP Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Windows Script Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Formbook File Creation DB1 | intermediate | 11 | Microsoft-Windows-Sysmon | +| Eventlog Cleared | intermediate | 517, 1102 | Microsoft-Windows-Eventlog | +| STRRAT Scheduled Task | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Suspicious PowerShell Invocations - Specific | intermediate | 1 | Microsoft-Windows-Sysmon | | Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | 4104 | Microsoft-Windows-PowerShell | +| XSL Script Processing And SquiblyTwo Attack | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 | | +| Spyware Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | +| Schtasks Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Regsvr32 Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| NTDS.dit File Interaction Through Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | +| New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | 4720 | Microsoft-Windows-Security-Auditing | +| Wmiprvse Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Rare Lsass Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | +| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | 1 | Microsoft-Windows-Sysmon | +| StoneDrill Service Install | intermediate | 7045 | Service Control Manager | +| Pandemic Windows Implant | intermediate | 1, 13 | Microsoft-Windows-Sysmon | +| PowerCat Function Loading | intermediate | 4104 | Microsoft-Windows-PowerShell | | Suspicious certutil command | intermediate | 1 | Microsoft-Windows-Sysmon | -| MSBuild Abuse | intermediate | 1, 3 | Microsoft-Windows-Sysmon | -| Searchprotocolhost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| DLL Load via LSASS Registry Key | intermediate | 12, 13 | Microsoft-Windows-Sysmon | +| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | intermediate | 64 | | +| Malicious Named Pipe | intermediate | 17 | Microsoft-Windows-Sysmon | +| Werfault DLL Injection | intermediate | 7 | Microsoft-Windows-Sysmon | +| SolarWinds Suspicious File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | +| DCSync Attack | intermediate | 4662 | Microsoft-Windows-Security-Auditing | +| MMC Spawning Windows Shell | intermediate | 1 | Microsoft-Windows-Sysmon | +| Non-Legitimate Executable Using AcceptEula Parameter | intermediate | 3, 5 | Kernel-Process, Microsoft-Windows-Kernel-Process | +| CMSTP UAC Bypass via COM Object Access | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious SAM Dump | intermediate | 16 | Microsoft-Windows-Kernel-General | | Ngrok Process Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Winrshost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| KeePass Config XML In Command-Line | intermediate | 1 | Microsoft-Windows-Sysmon | +| MSBuild Abuse | intermediate | 1, 3 | Microsoft-Windows-Sysmon | +| Netsh RDP Port Opening | intermediate | 1 | Microsoft-Windows-Sysmon | +| NlTest Usage | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious PowerShell Invocations - Generic | intermediate | 1 | Microsoft-Windows-Sysmon | +| Credential Dumping Tools Service Execution | intermediate | 7045 | Service Control Manager | +| Explorer Process Executing HTA File | intermediate | 1 | Microsoft-Windows-Sysmon | +| Possible Replay Attack | intermediate | 4649 | Microsoft-Windows-Security-Auditing | +| MOFComp Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| CertOC Loading Dll | intermediate | 1 | Kernel-Process | +| SOCKS Tunneling Tool | intermediate | 1 | Microsoft-Windows-Sysmon | +| Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing | +| Koadic Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Bloodhound and Sharphound Tools Usage | intermediate | 1 | Microsoft-Windows-Sysmon | +| MalwareBytes Uninstallation | intermediate | 1 | Microsoft-Windows-Sysmon | +| WMIC Command To Determine The Antivirus | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Audio Capture via PowerShell | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Commonly Used Commands To Stop Services And Remove Backups | intermediate | 1 | Microsoft-Windows-Sysmon | +| Active Directory Delegate To KRBTGT Service | intermediate | 4738 | Microsoft-Windows-Security-Auditing | +| Microsoft Defender Antivirus Threat Detected | intermediate | 1006, 1007, 1008, 1015, 1116, 1117, 1118, 1119, 1125, 1126 | Microsoft-Windows-Windows Defender | | WMImplant Hack Tool | intermediate | 4104 | Microsoft-Windows-PowerShell | -| NetNTLM Downgrade Attack | intermediate | 13, 4657 | Microsoft-Windows-Sysmon | -| Python HTTP Server | intermediate | 1 | Microsoft-Windows-Sysmon | +| Trickbot Malware Activity | intermediate | 1 | Microsoft-Windows-Sysmon | +| Searchprotocolhost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| User Added to Local Administrators | intermediate | 4732 | Microsoft-Windows-Security-Auditing | +| Lsass Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious DNS Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | +| DNS Exfiltration and Tunneling Tools Execution | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Chafer (APT 39) Activity | intermediate | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager | +| DPAPI Domain Backup Key Extraction | intermediate | 4662 | Microsoft-Windows-Security-Auditing | +| Wsmprovhost Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Disable Services | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | 1 | | +| Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error | +| DHCP Callout DLL Installation | intermediate | 13 | Microsoft-Windows-Sysmon | +| LSASS Memory Dump File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | +| DHCP Server Loaded the CallOut DLL | intermediate | 1033 | Microsoft-Windows-DHCP-Server | +| OceanLotus Registry Activity | intermediate | 13 | Microsoft-Windows-Sysmon | +| Netsh Program Allowed With Suspicious Location | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious DLL Loading By Ordinal | intermediate | 1 | Microsoft-Windows-Sysmon | +| Sliver DNS Beaconing | intermediate | 22 | Microsoft-Windows-Sysmon | | MMC20 Lateral Movement | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Process Requiring DLL Starts Without DLL | intermediate | 1 | Microsoft-Windows-Sysmon | -| Logonui Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| PowerCat Function Loading | intermediate | 4104 | Microsoft-Windows-PowerShell | -| Suspicious Regsvr32 Execution | intermediate | 1 | Microsoft-Windows-Sysmon | | NetSh Used To Disable Windows Firewall | intermediate | 1 | Microsoft-Windows-Sysmon | -| HackTools Suspicious Process Names In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | -| High Privileges Network Share Removal | intermediate | 1 | Microsoft-Windows-Sysmon | -| Lsass Access Through WinRM | intermediate | 10 | Microsoft-Windows-Sysmon | -| TUN/TAP Driver Installation | intermediate | 4697, 7045 | Service Control Manager | -| Trickbot Malware Activity | intermediate | 1 | Microsoft-Windows-Sysmon | -| CMSTP Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Wmic Process Call Creation | intermediate | 1 | Microsoft-Windows-Sysmon | +| Detection of default Mimikatz banner | intermediate | 4103 | Microsoft-Windows-PowerShell | +| WMIC Uninstall Product | intermediate | 1 | Microsoft-Windows-Sysmon | +| Mshta Suspicious Child Process | intermediate | 1, 5 | Kernel-Process | +| PowerShell Download From URL | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Network Sniffing Windows | intermediate | 1, 5 | Microsoft-Windows-Sysmon | | Smss Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Taskhostw Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| DHCP Server Loaded the CallOut DLL | intermediate | 1033 | | -| Antivirus Relevant File Paths Alerts | elementary | 1116 | Microsoft-Windows-Windows Defender | -| Turla Named Pipes | elementary | 17 | Microsoft-Windows-Sysmon | -| WiFi Credentials Harvesting Using Netsh | elementary | 1 | Microsoft-Windows-Sysmon | +| Suspicious Network Args In Command Line | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon | +| Searchindexer Wrong Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Venom Multi-hop Proxy agent detection | intermediate | 1 | Kernel-Process | +| DC Shadow via Service Principal Name (SPN) creation | intermediate | 4742, 5136 | Microsoft-Windows-Security-Auditing | +| Suspect Svchost Memory Access | intermediate | 10 | Microsoft-Windows-Sysmon | +| Suspicious Windows Installer Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Active Directory User Backdoors | intermediate | 4662, 5136 | Microsoft-Windows-Security-Auditing | +| UAC Bypass Using Fodhelper | intermediate | 13 | Microsoft-Windows-Sysmon | +| Empire Monkey Activity | elementary | 1 | Microsoft-Windows-Sysmon | +| OneNote Suspicious Children Process | elementary | 1, 15 | Microsoft-Windows-Sysmon | | Disable Task Manager Through Registry Key | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Schtasks Persistence With High Privileges | elementary | 1 | Microsoft-Windows-Sysmon | -| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | 1 | Microsoft-Windows-Sysmon | +| Wdigest Enable UseLogonCredential | elementary | 1, 13 | Microsoft-Windows-Sysmon | | Leviathan Registry Key Activity | elementary | 1, 13 | Microsoft-Windows-Sysmon | | RTLO Character | elementary | 15 | Microsoft-Windows-Sysmon | -| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | 1, 13, 17, 4697, 7045 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager | -| DNS Tunnel Technique From MuddyWater | elementary | 1 | Microsoft-Windows-Sysmon | +| PasswordDump SecurityXploded Tool | elementary | 1 | Microsoft-Windows-Sysmon | +| Copying Browser Files With Credentials | elementary | 1 | Microsoft-Windows-Sysmon | +| Suspicious Headless Web Browser Execution To Download File | elementary | 5 | Kernel-Process | +| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT | +| Suspicious HWP Child Process | elementary | 1 | Microsoft-Windows-Sysmon | +| Dllhost Wrong Parent | elementary | 1 | Microsoft-Windows-Sysmon | +| Disable Workstation Lock | elementary | 13 | Microsoft-Windows-Sysmon | +| Winword Document Droppers | elementary | 1 | Microsoft-Windows-Sysmon | +| Audit CVE Event | elementary | 1 | Microsoft-Windows-Audit-CVE | +| Equation Group DLL_U Load | elementary | 1 | Microsoft-Windows-Sysmon | +| Antivirus Password Dumper Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | +| Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | 4720 | Microsoft-Windows-Security-Auditing | | UAC Bypass via Event Viewer | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Smbexec.py Service Installation | elementary | 6, 4697, 7045 | Service Control Manager | -| Credential Dumping By LaZagne | elementary | 10 | Microsoft-Windows-Sysmon | +| RDP Login From Localhost | elementary | 4624 | Microsoft-Windows-Security-Auditing | +| Malicious Service Installations | elementary | 4697, 7045 | Service Control Manager | | Cobalt Strike Default Beacons Names | elementary | 1, 15 | Microsoft-Windows-Sysmon | +| Phosphorus (APT35) Exchange Discovery | elementary | 4104 | Microsoft-Windows-PowerShell | +| Microsoft Defender for Office 365 High Severity AIR Alert | elementary | 64 | | +| Smbexec.py Service Installation | elementary | 6, 4697, 7045 | Service Control Manager | +| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | 8 | | +| Process Memory Dump Using Rdrleakdiag | elementary | 5 | Kernel-Process | +| Microsoft Defender for Office 365 Medium Severity AIR Alert | elementary | 64 | | +| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | 1 | | | AdFind Usage | elementary | 1 | Microsoft-Windows-Sysmon | +| Domain Trust Discovery Through LDAP | elementary | 1 | Microsoft-Windows-Sysmon | | RedMimicry Winnti Playbook Registry Manipulation | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Windows Credential Editor Registry Key | elementary | 13 | Microsoft-Windows-Sysmon | -| Outlook Registry Access | elementary | 1 | Microsoft-Windows-Sysmon | -| Empire Monkey Activity | elementary | 1 | Microsoft-Windows-Sysmon | -| AD Object WriteDAC Access | elementary | 4662 | Microsoft-Windows-Security-Auditing | -| Debugging Software Deactivation | elementary | 1 | Microsoft-Windows-Sysmon | -| Security Support Provider (SSP) Added to LSA Configuration | elementary | 13 | Microsoft-Windows-Sysmon | -| HackTools Suspicious Process Names | elementary | 5 | Microsoft-Windows-Sysmon | -| SysKey Registry Keys Access | elementary | 4656, 4663 | Microsoft-Windows-Security-Auditing | -| Sticky Key Like Backdoor Usage | elementary | 13 | Microsoft-Windows-Sysmon | -| Netsh RDP Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 Suspicious Inbox Rule | elementary | 1 | | | Suncrypt Parameters | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Process Memory Dump Using Rdrleakdiag | elementary | 5 | Kernel-Process | -| APT29 Fake Google Update Service Install | elementary | 7045 | Service Control Manager | -| RedMimicry Winnti Playbook Dropped File | elementary | 11 | Microsoft-Windows-Sysmon | -| ICacls Granting Access To All | elementary | 1 | Microsoft-Windows-Sysmon | -| Domain Trust Discovery Through LDAP | elementary | 1 | Microsoft-Windows-Sysmon | -| Antivirus Password Dumper Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | -| Mustang Panda Dropper | elementary | 1 | Microsoft-Windows-Sysmon | -| RYUK Ransomeware - martinstevens Username | elementary | 4103 | Microsoft-Windows-PowerShell | -| Wdigest Enable UseLogonCredential | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Mshta JavaScript Execution | elementary | 1 | Microsoft-Windows-Sysmon | -| TrustedInstaller Impersonation | elementary | 4104 | Microsoft-Windows-PowerShell | -| Copying Sensitive Files With Credential Data | elementary | 1 | Microsoft-Windows-Sysmon | -| IcedID Execution Using Excel | elementary | 1 | Microsoft-Windows-Sysmon | -| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | 4104 | Microsoft-Windows-PowerShell | -| PasswordDump SecurityXploded Tool | elementary | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | 1 | | -| Office Application Startup Office Test | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Lazarus Loaders | elementary | 1 | Microsoft-Windows-Sysmon | -| Impacket Wmiexec Module | elementary | 1 | Microsoft-Windows-Sysmon | -| PowerShell Downgrade Attack | elementary | 1 | Microsoft-Windows-Sysmon | -| Invoke-TheHash Commandlets | elementary | 4104 | Microsoft-Windows-PowerShell | -| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | 1 | Microsoft-Windows-Sysmon | -| Process Memory Dump Using Createdump | elementary | 1 | Kernel-Process | -| Antivirus Exploitation Framework Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | -| Exploit For CVE-2015-1641 | elementary | 1 | Microsoft-Windows-Sysmon | -| Windows Update LolBins | elementary | 1 | Microsoft-Windows-Sysmon | -| Suspicious VBS Execution Parameter | elementary | 1 | Microsoft-Windows-Sysmon | -| Suspicious Netsh DLL Persistence | elementary | 1 | Microsoft-Windows-Sysmon | -| PowerShell Credential Prompt | elementary | 4104 | Microsoft-Windows-PowerShell | -| WMI Persistence Command Line Event Consumer | elementary | 7 | Microsoft-Windows-Sysmon | -| Phorpiex Process Masquerading | elementary | 1 | Microsoft-Windows-Sysmon | -| Equation Group DLL_U Load | elementary | 1 | Microsoft-Windows-Sysmon | | Ryuk Ransomware Command Line | elementary | 1 | Microsoft-Windows-Sysmon | +| Sticky Key Like Backdoor Usage | elementary | 13 | Microsoft-Windows-Sysmon | | Microsoft Office Startup Add-In | elementary | 11 | Microsoft-Windows-Sysmon | +| Microsoft 365 Sign-in With No User Agent | elementary | 15 | | +| IcedID Execution Using Excel | elementary | 1 | Microsoft-Windows-Sysmon | +| Explorer Wrong Parent | elementary | 1 | Microsoft-Windows-Sysmon | +| Exploit For CVE-2015-1641 | elementary | 1 | Microsoft-Windows-Sysmon | | Phorpiex DriveMgr Command | elementary | 1 | Microsoft-Windows-Sysmon | -| Suspicious Headless Web Browser Execution To Download File | elementary | 5 | Kernel-Process | -| Disable Workstation Lock | elementary | 13 | Microsoft-Windows-Sysmon | -| Process Memory Dump Using Comsvcs | elementary | 1 | Microsoft-Windows-Sysmon | -| WMI Install Of Binary | elementary | 1 | Microsoft-Windows-Sysmon | +| Dumpert LSASS Process Dumper | elementary | 7, 11 | Microsoft-Windows-Sysmon | +| Suspicious Netsh DLL Persistence | elementary | 1 | Microsoft-Windows-Sysmon | +| Invoke-TheHash Commandlets | elementary | 4104 | Microsoft-Windows-PowerShell | +| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | 1 | Microsoft-Windows-Sysmon | +| Netsh Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon | | CVE-2019-0708 Scan | elementary | 4625 | Microsoft-Windows-Security-Auditing | -| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT | -| Antivirus Web Shell Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | -| RDP Login From Localhost | elementary | 4624 | Microsoft-Windows-Security-Auditing | -| Malspam Execution Registering Malicious DLL | elementary | 1, 11 | Microsoft-Windows-Sysmon | -| Cobalt Strike Default Service Creation Usage | elementary | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager | -| Elise Backdoor | elementary | 1 | Microsoft-Windows-Sysmon | +| Credential Dumping By LaZagne | elementary | 10 | Microsoft-Windows-Sysmon | +| APT29 Fake Google Update Service Install | elementary | 7045 | Service Control Manager | +| Security Support Provider (SSP) Added to LSA Configuration | elementary | 13 | Microsoft-Windows-Sysmon | +| UAC Bypass Via Sdclt | elementary | 1, 13 | Microsoft-Windows-Sysmon | +| Netsh RDP Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon | +| Msdt (Follina) File Browse Process Execution | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| TrustedInstaller Impersonation | elementary | 4104 | Microsoft-Windows-PowerShell | +| Outlook Registry Access | elementary | 1 | Microsoft-Windows-Sysmon | | Ursnif Registry Key | elementary | 13 | Microsoft-Windows-Sysmon | +| Microsoft 365 Suspicious Inbox Rule | elementary | 1 | | | Blue Mockingbird Malware | elementary | 1 | Microsoft-Windows-Sysmon | -| Dllhost Wrong Parent | elementary | 1 | Microsoft-Windows-Sysmon | -| Raccine Uninstall | elementary | 1 | Microsoft-Windows-Sysmon | -| Mimikatz Basic Commands | elementary | 4103 | Microsoft-Windows-PowerShell | -| Phosphorus (APT35) Exchange Discovery | elementary | 4104 | Microsoft-Windows-PowerShell | -| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | 8 | | -| Winword Document Droppers | elementary | 1 | Microsoft-Windows-Sysmon | +| Turla Named Pipes | elementary | 17 | Microsoft-Windows-Sysmon | +| Antivirus Exploitation Framework Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | +| ICacls Granting Access To All | elementary | 1 | Microsoft-Windows-Sysmon | +| Cobalt Strike Default Service Creation Usage | elementary | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager | +| PowerShell Downgrade Attack | elementary | 1 | Microsoft-Windows-Sysmon | +| WMI Install Of Binary | elementary | 1 | Microsoft-Windows-Sysmon | +| WiFi Credentials Harvesting Using Netsh | elementary | 1 | Microsoft-Windows-Sysmon | +| Impacket Wmiexec Module | elementary | 1 | Microsoft-Windows-Sysmon | | Suspicious Double Extension | elementary | 5 | Microsoft-Windows-Sysmon | -| Microsoft Defender for Office 365 Medium Severity AIR Alert | elementary | 64 | | -| UAC Bypass Via Sdclt | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Suspicious HWP Child Process | elementary | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender for Office 365 High Severity AIR Alert | elementary | 64 | | -| OneNote Suspicious Children Process | elementary | 1, 15 | Microsoft-Windows-Sysmon | -| Explorer Wrong Parent | elementary | 1 | Microsoft-Windows-Sysmon | -| Malicious Service Installations | elementary | 4697, 7045 | Service Control Manager | -| Dumpert LSASS Process Dumper | elementary | 7, 11 | Microsoft-Windows-Sysmon | -| Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | 4720 | Microsoft-Windows-Security-Auditing | -| Copying Browser Files With Credentials | elementary | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus History Directory Deleted | elementary | 1 | Microsoft-Windows-Sysmon | -| Msdt (Follina) File Browse Process Execution | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Copying Sensitive Files With Credential Data | elementary | 1 | Microsoft-Windows-Sysmon | +| Antivirus Relevant File Paths Alerts | elementary | 1116 | Microsoft-Windows-Windows Defender | +| Raccine Uninstall | elementary | 1 | Microsoft-Windows-Sysmon | +| Phorpiex Process Masquerading | elementary | 1 | Microsoft-Windows-Sysmon | +| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | 4104 | Microsoft-Windows-PowerShell | +| Windows Credential Editor Registry Key | elementary | 13 | Microsoft-Windows-Sysmon | | FlowCloud Malware | elementary | 13 | Microsoft-Windows-Sysmon | +| RedMimicry Winnti Playbook Dropped File | elementary | 11 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus History Directory Deleted | elementary | 1 | Microsoft-Windows-Sysmon | +| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | 1, 13, 17, 4697, 7045 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager | +| Process Memory Dump Using Comsvcs | elementary | 1 | Microsoft-Windows-Sysmon | +| DNS Tunnel Technique From MuddyWater | elementary | 1 | Microsoft-Windows-Sysmon | +| SysKey Registry Keys Access | elementary | 4656, 4663 | Microsoft-Windows-Security-Auditing | +| WMI Persistence Command Line Event Consumer | elementary | 7 | Microsoft-Windows-Sysmon | +| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | 1 | Microsoft-Windows-Sysmon | | SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | 4704 | Microsoft-Windows-Security-Auditing | -| Audit CVE Event | elementary | 1 | Microsoft-Windows-Audit-CVE | +| PowerShell Credential Prompt | elementary | 4104 | Microsoft-Windows-PowerShell | +| Debugging Software Deactivation | elementary | 1 | Microsoft-Windows-Sysmon | +| Mimikatz Basic Commands | elementary | 4103 | Microsoft-Windows-PowerShell | +| Mustang Panda Dropper | elementary | 1 | Microsoft-Windows-Sysmon | +| Mshta JavaScript Execution | elementary | 1 | Microsoft-Windows-Sysmon | +| AD Object WriteDAC Access | elementary | 4662 | Microsoft-Windows-Security-Auditing | +| Schtasks Persistence With High Privileges | elementary | 1 | Microsoft-Windows-Sysmon | +| Lazarus Loaders | elementary | 1 | Microsoft-Windows-Sysmon | +| Malspam Execution Registering Malicious DLL | elementary | 1, 11 | Microsoft-Windows-Sysmon | +| Process Memory Dump Using Createdump | elementary | 1 | Kernel-Process | +| Elise Backdoor | elementary | 1 | Microsoft-Windows-Sysmon | +| Antivirus Web Shell Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | +| Office Application Startup Office Test | elementary | 1, 13 | Microsoft-Windows-Sysmon | +| Suspicious VBS Execution Parameter | elementary | 1 | Microsoft-Windows-Sysmon | +| Windows Update LolBins | elementary | 1 | Microsoft-Windows-Sysmon | +| RYUK Ransomeware - martinstevens Username | elementary | 4103 | Microsoft-Windows-PowerShell | ## EventIDs occurences in rules | EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 431) | | ------- | ------------------------- | ------------------------------------------------------ | -| 1 | 216 | 50.12 % | +| 1 | 215 | 49.88 % | | 13 | 44 | 10.21 % | | 4104 | 42 | 9.74 % | | 11 | 18 | 4.18 % | | 7 | 15 | 3.48 % | | 5145 | 11 | 2.55 % | | 7045 | 11 | 2.55 % | -| 5 | 9 | 2.09 % | +| 5 | 10 | 2.32 % | | 4656 | 8 | 1.86 % | -| 17 | 6 | 1.39 % | +| 15 | 7 | 1.62 % | | 98 | 6 | 1.39 % | -| 15 | 6 | 1.39 % | +| 17 | 6 | 1.39 % | +| 4663 | 6 | 1.39 % | | 4697 | 6 | 1.39 % | | 10 | 6 | 1.39 % | | 4662 | 6 | 1.39 % | -| 4663 | 6 | 1.39 % | +| 4624 | 5 | 1.16 % | | 1116 | 5 | 1.16 % | | 4688 | 5 | 1.16 % | -| 4624 | 5 | 1.16 % | | 5136 | 5 | 1.16 % | | 3 | 5 | 1.16 % | | 64 | 4 | 0.93 % | -| 22 | 3 | 0.7 % | -| 4625 | 3 | 0.7 % | | 6 | 3 | 0.7 % | -| 4103 | 3 | 0.7 % | | 4720 | 3 | 0.7 % | +| 22 | 3 | 0.7 % | | 12 | 3 | 0.7 % | -| 4799 | 2 | 0.46 % | -| 1033 | 2 | 0.46 % | -| 25 | 2 | 0.46 % | -| 20 | 2 | 0.46 % | -| 30 | 2 | 0.46 % | -| 4728 | 2 | 0.46 % | +| 4625 | 3 | 0.7 % | +| 4103 | 3 | 0.7 % | | 5007 | 2 | 0.46 % | -| 8 | 2 | 0.46 % | +| 4728 | 2 | 0.46 % | | 4729 | 2 | 0.46 % | -| 1000 | 1 | 0.23 % | -| 4776 | 1 | 0.23 % | -| 4674 | 1 | 0.23 % | +| 8 | 2 | 0.46 % | +| 20 | 2 | 0.46 % | +| 4799 | 2 | 0.46 % | +| 30 | 2 | 0.46 % | +| 25 | 2 | 0.46 % | +| 4611 | 1 | 0.23 % | +| 4673 | 1 | 0.23 % | +| 4661 | 1 | 0.23 % | +| 4754 | 1 | 0.23 % | +| 4756 | 1 | 0.23 % | +| 4757 | 1 | 0.23 % | +| 4758 | 1 | 0.23 % | +| 4727 | 1 | 0.23 % | +| 4730 | 1 | 0.23 % | +| 4764 | 1 | 0.23 % | +| 325 | 1 | 0.23 % | +| 6416 | 1 | 0.23 % | +| 4657 | 1 | 0.23 % | +| 19 | 1 | 0.23 % | +| 21 | 1 | 0.23 % | | 4743 | 1 | 0.23 % | -| 4732 | 1 | 0.23 % | -| 5140 | 1 | 0.23 % | +| 5156 | 1 | 0.23 % | +| 4658 | 1 | 0.23 % | +| 4776 | 1 | 0.23 % | +| 8001 | 1 | 0.23 % | +| 524 | 1 | 0.23 % | | 1032 | 1 | 0.23 % | | 1034 | 1 | 0.23 % | | 1031 | 1 | 0.23 % | | 4794 | 1 | 0.23 % | -| 1013 | 1 | 0.23 % | -| 19 | 1 | 0.23 % | -| 21 | 1 | 0.23 % | -| 16 | 1 | 0.23 % | -| 4825 | 1 | 0.23 % | -| 5156 | 1 | 0.23 % | -| 4742 | 1 | 0.23 % | -| 8001 | 1 | 0.23 % | -| 4658 | 1 | 0.23 % | -| 5154 | 1 | 0.23 % | -| 4661 | 1 | 0.23 % | -| 6416 | 1 | 0.23 % | | 517 | 1 | 0.23 % | | 1102 | 1 | 0.23 % | -| 4738 | 1 | 0.23 % | +| 47 | 1 | 0.23 % | +| 4674 | 1 | 0.23 % | +| 1127 | 1 | 0.23 % | +| 5001 | 1 | 0.23 % | +| 5101 | 1 | 0.23 % | +| 5010 | 1 | 0.23 % | +| 5012 | 1 | 0.23 % | +| 2013 | 1 | 0.23 % | | 770 | 1 | 0.23 % | | 771 | 1 | 0.23 % | | 150 | 1 | 0.23 % | -| 4673 | 1 | 0.23 % | +| 16 | 1 | 0.23 % | +| 4649 | 1 | 0.23 % | +| 1013 | 1 | 0.23 % | +| 5154 | 1 | 0.23 % | +| 4825 | 1 | 0.23 % | +| 4706 | 1 | 0.23 % | +| 4707 | 1 | 0.23 % | +| 4738 | 1 | 0.23 % | | 1125 | 1 | 0.23 % | | 1126 | 1 | 0.23 % | | 1006 | 1 | 0.23 % | @@ -522,55 +538,39 @@ The colors of the EventIDs in this page should be interpreted as follow: | 1117 | 1 | 0.23 % | | 1118 | 1 | 0.23 % | | 1119 | 1 | 0.23 % | -| 47 | 1 | 0.23 % | -| 1127 | 1 | 0.23 % | -| 5001 | 1 | 0.23 % | -| 5101 | 1 | 0.23 % | -| 5010 | 1 | 0.23 % | -| 5012 | 1 | 0.23 % | -| 2013 | 1 | 0.23 % | -| 4649 | 1 | 0.23 % | -| 4706 | 1 | 0.23 % | -| 4707 | 1 | 0.23 % | | 27 | 1 | 0.23 % | -| 325 | 1 | 0.23 % | -| 524 | 1 | 0.23 % | -| 4611 | 1 | 0.23 % | -| 4657 | 1 | 0.23 % | -| 4754 | 1 | 0.23 % | -| 4756 | 1 | 0.23 % | -| 4757 | 1 | 0.23 % | -| 4758 | 1 | 0.23 % | -| 4727 | 1 | 0.23 % | -| 4730 | 1 | 0.23 % | -| 4764 | 1 | 0.23 % | +| 5140 | 1 | 0.23 % | +| 4732 | 1 | 0.23 % | | 4704 | 1 | 0.23 % | +| 1000 | 1 | 0.23 % | +| 1033 | 1 | 0.23 % | +| 4742 | 1 | 0.23 % | ## EventProviders occurences in rules | EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 431) | | ------- | ------------------------- | ------------------------------------------------------ | -| Microsoft-Windows-Sysmon | 289 | 67.05 % | +| Microsoft-Windows-Sysmon | 287 | 66.59 % | | Microsoft-Windows-Security-Auditing | 66 | 15.31 % | | Microsoft-Windows-PowerShell | 45 | 10.44 % | +| Kernel-Process | 11 | 2.55 % | | Service Control Manager | 11 | 2.55 % | -| Kernel-Process | 10 | 2.32 % | | Microsoft-Windows-Windows Defender | 9 | 2.09 % | | Microsoft-Windows-Kernel-File | 2 | 0.46 % | -| Application Error | 1 | 0.23 % | -| Microsoft-Windows-DHCP-Server | 1 | 0.23 % | -| Microsoft-Windows-Kernel-General | 1 | 0.23 % | +| Microsoft-Windows-DHCP-Server | 2 | 0.46 % | +| ESENT | 1 | 0.23 % | +| Microsoft-Windows-Audit-CVE | 1 | 0.23 % | | Microsoft-Windows-NTLM | 1 | 0.23 % | -| Microsoft-Windows-Kernel-Process | 1 | 0.23 % | +| Microsoft-Windows-Backup | 1 | 0.23 % | | Microsoft-Windows-Eventlog | 1 | 0.23 % | | Microsoft-Windows-DNS-Server-Service | 1 | 0.23 % | -| ESENT | 1 | 0.23 % | -| Microsoft-Windows-Backup | 1 | 0.23 % | -| Microsoft-Windows-Audit-CVE | 1 | 0.23 % | +| Microsoft-Windows-Kernel-Process | 1 | 0.23 % | +| Microsoft-Windows-Kernel-General | 1 | 0.23 % | +| Application Error | 1 | 0.23 % | ## EffortLevel x EventIDs | Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 431 | | ------------ | -------- | ----------------------- | ------------------------------------------------------- | -| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 25, 27, 3, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4727, 4728, 4729, 4730, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 7, 770, 771, 8001, 98 | 76 | 17.63 % | -| advanced | 1, 10, 11, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 4104, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 64, 6416, 7, 7045, 8 | 73 | 16.94 % | -| intermediate | 1, 10, 1000, 1006, 1007, 1008, 1015, 1031, 1032, 1033, 1034, 11, 1102, 1116, 1117, 1118, 1119, 1125, 1126, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4732, 4738, 4742, 4794, 4799, 4825, 5, 5136, 5145, 517, 524, 6, 64, 7, 7045 | 184 | 42.69 % | -| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4624, 4625, 4656, 4662, 4663, 4697, 4704, 4720, 5, 6, 64, 7, 7045, 8 | 98 | 22.74 % | \ No newline at end of file +| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 25, 27, 3, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4727, 4728, 4729, 4730, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 7, 770, 771, 8001, 98 | 75 | 17.4 % | +| advanced | 1, 10, 11, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 4104, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 64, 6416, 7, 7045, 8 | 74 | 17.17 % | +| intermediate | 1, 10, 1000, 1006, 1007, 1008, 1015, 1031, 1032, 1033, 1034, 11, 1102, 1116, 1117, 1118, 1119, 1125, 1126, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4732, 4738, 4742, 4794, 4799, 4825, 5, 5136, 5145, 517, 524, 6, 64, 7, 7045 | 183 | 42.46 % | +| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4624, 4625, 4656, 4662, 4663, 4697, 4704, 4720, 5, 6, 64, 7, 7045, 8 | 99 | 22.97 % | \ No newline at end of file