From 70298fc026d039f8ebd7c86569a843120aee6cd6 Mon Sep 17 00:00:00 2001 From: mjeusset Date: Wed, 31 Jan 2024 16:44:42 +0000 Subject: [PATCH] Refresh Built-in detection rules documentation --- ...f5e-a585fc7c8fc0_do_not_edit_manually.json | 2 +- ...41e-af269b45bef1_do_not_edit_manually.json | 2 +- ...7d1-588319e39d71_do_not_edit_manually.json | 2 +- ...5c4-c8174c307e48_do_not_edit_manually.json | 2 +- ...06d-f92f3a46bcdd_do_not_edit_manually.json | 2 +- ...575-9e43af779f9f_do_not_edit_manually.json | 2 +- ...5e2-4597e366b8c4_do_not_edit_manually.json | 2 +- ...02e-e88fe2193365_do_not_edit_manually.json | 2 +- ...803-e7990afe78b6_do_not_edit_manually.json | 2 +- ...b17-90c0be6b1f10_do_not_edit_manually.json | 2 +- ...9b6-76bf5298a617_do_not_edit_manually.json | 2 +- ...fbd-01e3fac01cd5_do_not_edit_manually.json | 2 +- ...c24-2d7129137688_do_not_edit_manually.json | 2 +- ...13a-f8dd48cddc8c_do_not_edit_manually.json | 2 +- ...46b-974354a107bb_do_not_edit_manually.json | 2 +- ...cfd-43f7d9595777_do_not_edit_manually.json | 2 +- ...d19-67edc91fb063_do_not_edit_manually.json | 2 +- ...e06-7b335e439c29_do_not_edit_manually.json | 2 +- ...916-636c27ba4931_do_not_edit_manually.json | 2 +- ...b02-e72f870fcbd1_do_not_edit_manually.json | 2 +- ...58e-81b9418e6584_do_not_edit_manually.json | 2 +- ...901-b7fadfb0ba48_do_not_edit_manually.json | 2 +- ...038-3f7d5a3b8b11_do_not_edit_manually.json | 2 +- ...00a-2b58303cac90_do_not_edit_manually.json | 2 +- ...e47-1574946412b6_do_not_edit_manually.json | 2 +- ...750-5db882ea1266_do_not_edit_manually.json | 2 +- ...e19-e38e167432a1_do_not_edit_manually.json | 2 +- ...033-6f1f887a70f2_do_not_edit_manually.json | 2 +- ...597-d2944a601930_do_not_edit_manually.json | 2 +- ...6bd-91a447bb26bd_do_not_edit_manually.json | 2 +- ...f3b-f73a622c9687_do_not_edit_manually.json | 2 +- ...c99-5c2de7e1d340_do_not_edit_manually.json | 2 +- ...4fa-28d6c1f2e2a8_do_not_edit_manually.json | 2 +- ...d69-684a0b3835fc_do_not_edit_manually.json | 2 +- ...d60-8fd5e39140b3_do_not_edit_manually.json | 2 +- ...109-c6d85b91bbcf_do_not_edit_manually.json | 2 +- ...703-7452882e70da_do_not_edit_manually.json | 2 +- ...2ff-0e1cde564161_do_not_edit_manually.json | 2 +- ...f81-30df7b1963a0_do_not_edit_manually.json | 2 +- ...e09-44d31626b694_do_not_edit_manually.json | 2 +- ...28f-3ee3cd5b9a8e_do_not_edit_manually.json | 2 +- ...47b-ef64dd87c981_do_not_edit_manually.json | 2 +- ...746-b2b9f366e34b_do_not_edit_manually.json | 2 +- ...780-b225c59e9f99_do_not_edit_manually.json | 2 +- ...1f3-49e3993c16f5_do_not_edit_manually.json | 2 +- ...f2d-eed5013fe463_do_not_edit_manually.json | 2 +- ...4cf-3e64787c1c39_do_not_edit_manually.json | 2 +- ...60f-2d3fd0b46987_do_not_edit_manually.json | 2 +- ...c15-3828627ba899_do_not_edit_manually.json | 2 +- ...5de-5c2722fa020e_do_not_edit_manually.json | 2 +- ...a62-49fa5f2c9206_do_not_edit_manually.json | 2 +- ...d8b-08d6315e1ef6_do_not_edit_manually.json | 2 +- ...70f-fd3b54ba1fe4_do_not_edit_manually.json | 2 +- ...fb3-f7c543fd84a5_do_not_edit_manually.json | 2 +- ...b6d-3f79045f28fa_do_not_edit_manually.json | 2 +- ...a81-31090d723a60_do_not_edit_manually.json | 2 +- ...bc9-74be1e0ca1c1_do_not_edit_manually.json | 2 +- ...cbb-bc830118c1f9_do_not_edit_manually.json | 2 +- ...079-ab35ac6b2ab9_do_not_edit_manually.json | 2 +- ...b3d-b7cb7b7db618_do_not_edit_manually.json | 2 +- ...079-3dd25d472e0a_do_not_edit_manually.json | 2 +- ...96a-8808b3c6cade_do_not_edit_manually.json | 2 +- ...b6f-a8e4dcac3d1d_do_not_edit_manually.json | 2 +- ...f1d-772e9a30f0dd_do_not_edit_manually.json | 2 +- ...563-db21da09cafd_do_not_edit_manually.json | 2 +- ...bcc-45fd108ba1be_do_not_edit_manually.json | 2 +- ...93f-bbd70d114188_do_not_edit_manually.json | 2 +- ...90d-9af2f7be7019_do_not_edit_manually.json | 2 +- ...76c-408472fcfebb_do_not_edit_manually.json | 2 +- ...462-cf7fc8bcd51a_do_not_edit_manually.json | 2 +- ...060-a9d9f2d270db_do_not_edit_manually.json | 2 +- ...dd4-30f1870e3d03_do_not_edit_manually.json | 2 +- ...afa-595bd430c0cb_do_not_edit_manually.json | 2 +- ...e37-842703494be0_do_not_edit_manually.json | 2 +- ...ae5-aa67d2f29fcb_do_not_edit_manually.json | 2 +- ...0b6-7df6738d5d7f_do_not_edit_manually.json | 2 +- ...79a-f97be24cc02d_do_not_edit_manually.json | 2 +- ...e56-0242ac120002_do_not_edit_manually.json | 2 +- ...763-aad3451821e5_do_not_edit_manually.json | 2 +- ...0ce-dbcae04eaf26_do_not_edit_manually.json | 2 +- ...b7a-4f2d0a518b04_do_not_edit_manually.json | 2 +- ...475-a7f43754ab6d_do_not_edit_manually.json | 2 +- ...5aa-2a6a900df99b_do_not_edit_manually.json | 2 +- ...3ba-652eca2e8ed0_do_not_edit_manually.json | 2 +- ...43e-9848cadb1f99_do_not_edit_manually.json | 2 +- ...844-f7f4d7348199_do_not_edit_manually.json | 2 +- ...a64-fb65d4b0a4cf_do_not_edit_manually.json | 2 +- ...847-983f38efb8ff_do_not_edit_manually.json | 2 +- ...602-a5994544d9ed_do_not_edit_manually.json | 2 +- ...e3d-587fdd99a421_do_not_edit_manually.json | 2 +- ...bb3-f0290b99f014_do_not_edit_manually.json | 2 +- ...723-84060aeb5529_do_not_edit_manually.json | 2 +- ...f71-46155af56570_do_not_edit_manually.json | 2 +- ...15f-1f83807ff3cc_do_not_edit_manually.json | 2 +- ...659-4cb814431e29_do_not_edit_manually.json | 2 +- ...fa0-c63661820941_do_not_edit_manually.json | 2 +- ...9c5-e075f3fb3216_do_not_edit_manually.json | 2 +- ...e89-f2b8be4baf4e_do_not_edit_manually.json | 2 +- ...8ed-b7fb3d7fa232_do_not_edit_manually.json | 2 +- ...785-c1276277b5d7_do_not_edit_manually.json | 2 +- ...e0e-ca4e6cecf7e6_do_not_edit_manually.json | 2 +- ...af5-b69c7b679887_do_not_edit_manually.json | 2 +- ...cb6-2f574bd4ce51_do_not_edit_manually.json | 2 +- ...399-ddd992d48472_do_not_edit_manually.json | 2 +- ...c2d-e2cfa46bf0e5_do_not_edit_manually.json | 2 +- ...098-fe4a9e0aeaa0_do_not_edit_manually.json | 2 +- ...7e6-7e0948e12415_do_not_edit_manually.json | 2 +- ...in_rules_changelog_do_not_edit_manually.md | 118 +-- .../built_in_rules_do_not_edit_manually.md | 15 +- .../built_in_detection_rules_eventids.md | 934 +++++++++--------- 110 files changed, 644 insertions(+), 637 deletions(-) diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json index c11d00b19c..1965f2b50a 100644 --- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json index ca9163d58e..a2ea6ff948 100644 --- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, CMSTP Execution, MavInject Process Injection, xWizard Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, SSH X11 Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification, Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, SSH Tunnel Traffic, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, File and Directory Permissions Modification"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json index c33f30deb6..f00b98cfb2 100644 --- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json index f285e739f7..b580d571ce 100644 --- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, WithSecure Elements Critical Severity, Sysmon Windows File Block Executable, Download Files From Non-Legitimate TLDs, Microsoft Defender Antivirus Threat Detected, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Sysmon Windows File Block Executable, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Microsoft Defender Antivirus Tampering Detected, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, WithSecure Elements Critical Severity, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, Suspicious Mshta Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, WithSecure Elements Critical Severity, PsExec Process, Usage Of Procdump With Common Arguments, Microsoft Defender Antivirus Threat Detected"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Elise Backdoor, WithSecure Elements Critical Severity, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, Suspicious Mshta Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, xWizard Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Cron Files Alteration, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, Microsoft Defender Antivirus Threat Detected, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, WithSecure Elements Critical Severity, Sysmon Windows File Block Executable"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, Sysmon Windows File Block Executable"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json index fb18a824aa..f14f532ba5 100644 --- a/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_04d36706-ee4a-419b-906d-f92f3a46bcdd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Report", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json index 1d3be0df67..d3309ad992 100644 --- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft 365 Defender For Endpoint Alert, Exploit For CVE-2015-1641, Microsoft 365 Defender Alert, Microsoft 365 Defender Cloud App Security Alert, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender for Office 365 Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, Socat Reverse Shell Detection, Interactive Terminal Spawned via Python, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, Microsoft 365 Defender Alert, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Microsoft 365 Defender For Endpoint Alert, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft 365 Defender Cloud App Security Alert, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender for Office 365 Alert, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winword wrong parent, Winrshost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winword wrong parent, Winrshost Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Winword wrong parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Wininit Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft 365 Defender Cloud App Security Alert, Winword wrong parent, Windows Update LolBins, SolarWinds Suspicious File Creation, Microsoft 365 Defender Alert, Suspicious DNS Child Process, Winrshost Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Wrong Child Process, PsExec Process, Suspicious Commands From MS SQL Server Shell, Microsoft Defender for Office 365 Alert, Usage Of Procdump With Common Arguments, Wininit Wrong Parent, Microsoft 365 Defender For Endpoint Alert"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Suspicious Outlook Child Process, Venom Multi-hop Proxy agent detection, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Socat Relaying Socket, Socat Reverse Shell Detection, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Interactive Terminal Spawned via Python, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender for Office 365 Alert, Microsoft 365 Defender For Endpoint Alert, PowerShell EncodedCommand, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft 365 Defender Cloud App Security Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Microsoft 365 Defender Alert, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Microsoft 365 Defender For Endpoint Alert, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Microsoft 365 Defender Cloud App Security Alert, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft 365 Defender Alert, Microsoft Office Product Spawning Windows Shell, Download Files From Suspicious TLDs, Microsoft Defender for Office 365 Alert"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wininit Wrong Parent, Winrshost Wrong Parent, New Service Creation, Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wininit Wrong Parent, Winrshost Wrong Parent, New Service Creation, Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wininit Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Winword wrong parent, SolarWinds Wrong Child Process, PsExec Process, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Microsoft 365 Defender For Endpoint Alert, Wininit Wrong Parent, Windows Update LolBins, Winrshost Wrong Parent, Microsoft Defender for Office 365 Alert, Usage Of Procdump With Common Arguments, Winword wrong parent, SolarWinds Wrong Child Process, Microsoft 365 Defender Cloud App Security Alert, PsExec Process, Suspicious Commands From MS SQL Server Shell, Microsoft 365 Defender Alert, Usage Of Sysinternals Tools, Suspicious DNS Child Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration, NjRat Registry Changes"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json index 16f686f29e..95f5e5dd4e 100644 --- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json index 08b1c50319..dca94ac433 100644 --- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Trend Micro Apex One Data Loss Prevention Alert, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack, Trend Micro Apex One Malware Alert, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, CMSTP Execution, MavInject Process Injection, xWizard Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Trend Micro Apex One Data Loss Prevention Alert, SolarWinds Suspicious File Creation, PsExec Process, Usage Of Procdump With Common Arguments, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Trend Micro Apex One Data Loss Prevention Alert, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Trend Micro Apex One Malware Alert, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Cron Files Alteration, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Trend Micro Apex One Data Loss Prevention Alert, PsExec Process, Trend Micro Apex One Malware Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Trend Micro Apex One Data Loss Prevention Alert, Explorer Process Executing HTA File, Trend Micro Apex One Malware Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json index 40da4960d0..ecddab0f49 100644 --- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR SSO User Added, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious), SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Package Manager Alteration, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Lazarus Loaders, Suspicious Cmd.exe Command Line, SentinelOne EDR Custom Rule Alert, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Suspicious), Suspicious Taskkill Command, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR User Failed To Log In To The Management Console, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Malicious Threat Not Mitigated, Exploiting SetupComplete.cmd CVE-2019-1378, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Kill Success, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration, STRRAT Scheduled Task"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR SSO User Added, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, SolarWinds Wrong Child Process, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Mitigation Report Quarantine Failed, Usage Of Procdump With Common Arguments, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious)"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Kill Success, Lazarus Loaders, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Mitigation Report Quarantine Success, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), SentinelOne EDR User Logged In To The Management Console, Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR User Failed To Log In To The Management Console, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Malicious Threat Not Mitigated, Suspicious Taskkill Command, SentinelOne EDR Threat Mitigation Report Remediate Success, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR SSO User Added, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Custom Rule Alert"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Possible Malicious File Double Extension, Phorpiex Process Masquerading"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Agent Disabled, SentinelOne EDR Custom Rule Alert, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Cron Files Alteration, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, Usage Of Procdump With Common Arguments, SentinelOne EDR User Logged In To The Management Console, SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR SSO User Added, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence)"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json index 0c0623c89e..9267f858d4 100644 --- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json index df4a9cfc4a..69787788d6 100644 --- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration, STRRAT Scheduled Task"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Explorer Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Explorer Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, PowerCat Function Loading"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Suspicious DNS Child Process, SolarWinds Wrong Child Process, PsExec Process, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Winword wrong parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Suspicious DNS Child Process, SolarWinds Wrong Child Process, PsExec Process, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Winword wrong parent"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious Outlook Child Process, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Cron Files Alteration, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Winword wrong parent, SolarWinds Wrong Child Process, PsExec Process, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Windows Update LolBins, Usage Of Procdump With Common Arguments, Winword wrong parent, SolarWinds Wrong Child Process, PsExec Process, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation, Winword wrong parent, SolarWinds Wrong Child Process, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation, Winword wrong parent, SolarWinds Wrong Child Process, Explorer Wrong Parent, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json index 3b63718758..8d750d05fa 100644 --- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Driver Loaded, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Venom Multi-hop Proxy agent detection, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Suspicious Driver Loaded, AMSI Deactivation Using Registry Key, Netsh RDP Port Forwarding, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools, Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Python HTTP Server, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json index d63a7bc4d4..1d33d9703d 100644 --- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json index 37a11b446e..971d90c843 100644 --- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json index e2752fa627..81be50de79 100644 --- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Abnormal Token"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Threat Intelligence"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json index 43dedc7f31..08c483c5d5 100644 --- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json index a17cf7e5cf..c9c6c92d9d 100644 --- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json index 964939b4bd..0e0d372427 100644 --- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Critical Severity, Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Windows Update LolBins, SolarWinds Suspicious File Creation, CrowdStrike Falcon Intrusion Detection High Severity, Lsass Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, CrowdStrike Falcon Intrusion Detection Critical Severity, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Intrusion Detection Medium Severity, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, CrowdStrike Falcon Intrusion Detection Low Severity, Suspicious Taskkill Command, CrowdStrike Falcon Intrusion Detection, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Trickbot Malware Activity, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Informational Severity, Suspicious PrinterPorts Creation (CVE-2020-1048), CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection Low Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection High Severity, IcedID Execution Using Excel, Explorer Process Executing HTA File, CrowdStrike Falcon Intrusion Detection Medium Severity, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, CrowdStrike Falcon Intrusion Detection, Suspicious Outlook Child Process, Trickbot Malware Activity, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Informational Severity, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, CrowdStrike Falcon Intrusion Detection Medium Severity, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Intrusion Detection Low Severity, PowerShell EncodedCommand, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, CrowdStrike Falcon Intrusion Detection High Severity, CrowdStrike Falcon Intrusion Detection Critical Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection Low Severity, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, CrowdStrike Falcon Intrusion Detection Informational Severity, Exploit For CVE-2015-1641, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection Medium Severity"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, CrowdStrike Falcon Intrusion Detection, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Csrss Child Found, Windows Update LolBins, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection High Severity, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, CrowdStrike Falcon Intrusion Detection Medium Severity, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json index a060ee513d..62591b13e2 100644 --- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json index 0b0c650cb0..2d71329d7f 100644 --- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Cisco Umbrella Threat Detected, Suspicious HWP Child Process"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Smss Wrong Parent, Taskhostw Wrong Parent, Process Hollowing Detection, Cobalt Strike Named Pipes, Wsmprovhost Wrong Parent, Process Herpaderping, MavInject Process Injection, CreateRemoteThread Common Process Injection, Malicious Named Pipe, Svchost Wrong Parent, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, StoneDrill Service Install, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, StoneDrill Service Install, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Metasploit PSExec Service Creation, Userinit Wrong Parent, Suspicious PsExec Execution, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Smbexec.py Service Installation, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Metasploit PSExec Service Creation, Userinit Wrong Parent, Suspicious PsExec Execution, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Windows Update LolBins, SolarWinds Suspicious File Creation, Smbexec.py Service Installation, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Password Dumper Detection, Audit CVE Event, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Configuration Changed, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Ryuk Ransomware Command Line, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Suspect Svchost Memory Access, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Python Opening Ports, Netsh Allow Command, Powershell AMSI Bypass, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Services, Netsh Port Opening, Microsoft Defender Antivirus Configuration Changed, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Ryuk Ransomware Command Line, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Scheduled Tasks, NetNTLM Downgrade Attack, AMSI Deactivation Using Registry Key, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Credential Prompt, WMImplant Hack Tool, Powershell Web Request, Suspicious PowerShell Keywords, PowerShell EncodedCommand, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic, In-memory PowerShell, PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, Invoke-TheHash Commandlets, Turla Named Pipes, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Credential Prompt, WMImplant Hack Tool, Powershell Web Request, Suspicious PowerShell Keywords, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Generic, XSL Script Processing And SquiblyTwo Attack, In-memory PowerShell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, Mustang Panda Dropper, Suspicious DLL Loaded Via Office Applications, Suspicious CodePage Switch with CHCP, Invoke-TheHash Commandlets, Turla Named Pipes, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Threat Detected, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Scripting In A WMI Consumer, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, PowerShell Malicious PowerShell Commandlets, WMI DLL Loaded Via Office, Suspicious Outlook Child Process, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Venom Multi-hop Proxy agent detection, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Svchost Modification, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Narrator Feedback-Hub Persistence, Kernel Module Alteration, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Svchost Modification, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Dumpert LSASS Process Dumper, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Mimikatz Basic Commands, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Cmdkey Cached Credentials Recon, Malicious Service Installations, HackTools Suspicious Names, Lsass Access Through WinRM, HackTools Suspicious Process Names In Command Line, Credential Dumping By LaZagne, Process Memory Dump Using Comsvcs, Transfering Files With Credential Data Via Network Shares, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, NetNTLM Downgrade Attack, Active Directory Replication from Non Machine Account, LSASS Memory Dump File Creation, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, SAM Registry Hive Handle Request, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, RedMimicry Winnti Playbook Dropped File, LSASS Access From Non System Account, DCSync Attack, Unsigned Image Loaded Into LSASS Process, Windows Credential Editor Registry Key, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Suspicious SAM Dump, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Mimikatz LSASS Memory Access, Cred Dump Tools Dropped Files, LSASS Memory Dump, Credential Dumping Tools Service Execution, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, Process Memory Dump Using Rdrleakdiag, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, LSASS Memory Dump File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, SAM Registry Hive Handle Request, Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Admin Share Access, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, Lsass Access Through WinRM, MMC Spawning Windows Shell, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, RDP Port Change Using Powershell, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Admin Share Access, Denied Access To Remote Desktop, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, AdFind Usage, Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Python Opening Ports, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Remote Privileged Group Enumeration, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Privileged AD Builtin Group Modified, Mimikatz Basic Commands"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Phorpiex Process Masquerading, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Dynwrapx Module Loading, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, RDP Port Change Using Powershell, Remote Registry Management Using Reg Utility, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SSH Tunnel Traffic, Exfiltration And Tunneling Tools Execution, Venom Multi-hop Proxy agent detection, SSH X11 Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Suspicious PowerShell Keywords, Turla Named Pipes, PowerShell Downgrade Attack, In-memory PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious Taskkill Command, PowerShell Credential Prompt, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Detection of default Mimikatz banner, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, Suspicious VBS Execution Parameter, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Suspicious Outlook Child Process, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Elise Backdoor, Suspicious PowerShell Keywords, Turla Named Pipes, Sysprep On AppData Folder, PowerShell Downgrade Attack, In-memory PowerShell, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke Expression With Registry, Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Threat Detected, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious Taskkill Command, Suspicious Scripting In A WMI Consumer, PowerShell Credential Prompt, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, WMI DLL Loaded Via Office, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious DLL Loaded Via Office Applications, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Detection of default Mimikatz banner, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Malspam Execution Registering Malicious DLL, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Transfering Files With Credential Data Via Network Shares, Malicious Service Installations, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, LSASS Access From Non System Account, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, SAM Registry Hive Handle Request, Mimikatz Basic Commands, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Active Directory Replication from Non Machine Account, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Active Directory Database Dump Via Ntdsutil, Mimikatz LSASS Memory Access, Cmdkey Cached Credentials Recon, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Names, Copying Browser Files With Credentials, Lsass Access Through WinRM, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, LSASS Memory Dump, Rubeus Tool Command-line, Suspicious SAM Dump, Password Dumper Activity On LSASS, DCSync Attack, LSASS Memory Dump File Creation, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, LSASS Access From Non System Account, Password Dumper Activity On LSASS, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Lsass Access Through WinRM, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, WMIC Uninstall Product, WMImplant Hack Tool, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Dynwrapx Module Loading, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Process Herpaderping, CreateRemoteThread Common Process Injection, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Dynwrapx Module Loading, Process Hollowing Detection, Wsmprovhost Wrong Parent, Malicious Named Pipe, Taskhostw Wrong Parent, Cobalt Strike Named Pipes, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Domain Trust Created Or Removed, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disable Task Manager Through Registry Key, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Disable Windows Defender Credential Guard, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Suspect Svchost Memory Access, TrustedInstaller Impersonation, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Python Opening Ports, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked (HL-AI engine), Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious HWP Child Process, Suspicious Double Extension, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious HWP Child Process, Suspicious New Printer Ports In Registry, Audit CVE Event"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Possible Replay Attack, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Replication User Backdoor, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, SSH Tunnel Traffic, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, Disable Workstation Lock, Chafer (APT 39) Activity, FlowCloud Malware, RDP Port Change Using Powershell, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2, SCM Database Handle Failure"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Autorun Keys Modification, Svchost Modification, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, NjRat Registry Changes, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Lsass Access Through WinRM, Protected Storage Service Access"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Lsass Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Lsass Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Csrss Child Found, Winword wrong parent, Suspicious PsExec Execution, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Suspicious PsExec Execution, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, TrustedInstaller Impersonation, Raccine Uninstall, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, GitLab CVE-2021-22205"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Eventlog Cleared, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2, PowerView commandlets 1, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command, Python Opening Ports"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, PowerView commandlets 1, AdFind Usage, Trickbot Malware Activity, Phosphorus Domain Controller Discovery, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Audit CVE Event"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, System Info Discovery"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json index b0598f6a0d..a71d012c6d 100644 --- a/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_255764ef-eaf6-4964-958e-81b9418e6584_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Kaspersky Endpoint Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Kaspersky Endpoint Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Phorpiex Process Masquerading"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json index 675dd8318e..c73441ef43 100644 --- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Email Attachment Received, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json index adb9d246ab..4edeed046d 100644 --- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Windows Update LolBins, SolarWinds Suspicious File Creation, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Trickbot Malware Activity, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Audit CVE Event, Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious Outlook Child Process, Trickbot Malware Activity, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Audit CVE Event"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json index 852e5c5455..efcb163362 100644 --- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware ESXi", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json index 631b9eaa5e..7d87e84c90 100644 --- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco ESA", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json index b8a3984a5a..c172b8b9c3 100644 --- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json index e255adbb01..6d74c444c1 100644 --- a/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_35855de3-0728-4a83-ae19-e38e167432a1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OpenLDAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json index 2bf4037105..7eed32d31c 100644 --- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Windows Update LolBins, SolarWinds Suspicious File Creation, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Tampering Detected, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Trickbot Malware Activity, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Medium Level Rule Detection, Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Low Level Rule Detection, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR High Level Rule Detection, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, HarfangLab EDR Critical Level Rule Detection, IcedID Execution Using Excel, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, STRRAT Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Suspicious Outlook Child Process, Trickbot Malware Activity, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Threat Detected, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Cron Files Alteration, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, Exploit For CVE-2015-1641, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Process Execution Blocked (HL-AI engine), HarfangLab EDR Low Level Rule Detection, HarfangLab EDR High Level Rule Detection, Winword Document Droppers, Explorer Process Executing HTA File, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked (HL-AI engine), Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Winword Document Droppers, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json index 84048d7e42..b49c695660 100644 --- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json index 24e7bece07..deafdfc43a 100644 --- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR CorePUA Detection, Sophos EDR Application Blocked, Sophos EDR CorePUA Clean, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR Application Detected, Sophos EDR Application Blocked, Sophos EDR CorePUA Clean, Sophos EDR CorePUA Detection, Download Files From Suspicious TLDs"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json index 1558b007b2..9dface2434 100644 --- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json index 54e9ed2b3e..b0d63ff578 100644 --- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Windows Update LolBins, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Trickbot Malware Activity, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, STRRAT Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Suspicious Outlook Child Process, Trickbot Malware Activity, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Cron Files Alteration, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json index d0be93841f..e6a0cd729e 100644 --- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Cleaned, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Phorpiex Process Masquerading"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Venom Multi-hop Proxy agent detection, AutoIt3 Execution From Suspicious Folder, Interactive Terminal Spawned via Python"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Quarantined, Download Files From Suspicious TLDs"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled Service, SELinux Disabling"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json index c0a6b372a9..2d18cae7e9 100644 --- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json index 2a0b205057..a714c764f5 100644 --- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json index 44b546772a..73424687ad 100644 --- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Sliver DNS Beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json index fe4c6e76c1..b88c7764a3 100644 --- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json index 979f991c1f..f8d8f34475 100644 --- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Spam But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Spam But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Phishing But Allowed, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json index e569ac9cd6..40bd6dde04 100644 --- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json index 30d25cac10..40aaa6b4d8 100644 --- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (Sandboxing), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json index 65f6a6c5ce..c2a986ba16 100644 --- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json index f58ccabfc9..d8fc8d42b6 100644 --- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Sliver DNS Beaconing, Koadic MSHTML Command, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json index ea77bcd07a..54229e9081 100644 --- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json index 8fa33eaefc..4baffa1915 100644 --- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, SELinux Disabling, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, SELinux Disabling, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, Socat Reverse Shell Detection, Interactive Terminal Spawned via Python, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, CMSTP Execution, MavInject Process Injection, xWizard Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Venom Multi-hop Proxy agent detection, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Socat Relaying Socket, Socat Reverse Shell Detection, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Cron Files Alteration, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json index 2e7c5baf7e..730396ba75 100644 --- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Package Manager Alteration, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Package Manager Alteration, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Suspicious Scheduled Task Creation, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Cron Files Alteration, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Package Manager Alteration, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious Taskkill Command, Lazarus Loaders, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json index f19f265817..0829291e31 100644 --- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json index be7653502c..b9c323793c 100644 --- a/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_63974ce1-2f0a-44f7-a4cf-3e64787c1c39_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft IIS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json index 5d48fadc09..92fc0eebc4 100644 --- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json index c9793777a3..261130956f 100644 --- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering, High Privileges Network Share Removal, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, MalwareBytes Uninstallation, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disabled Base64 Encoded, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Control Panel Items, MavInject Process Injection, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Linux Bash Reverse Shell, Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Suspicious PrinterPorts Creation (CVE-2020-1048), Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Raccine Uninstall, Microsoft Defender Antivirus Restoration Abuse, MalwareBytes Uninstallation, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Netsh RDP Port Forwarding, Suspicious Microsoft Defender Antivirus Exclusion Command, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, WMIC Uninstall Product, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Suspicious Windows Installer Execution, Control Panel Items, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Port Forwarding, Windows Firewall Changes"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json index 95e309bf9d..7e0e0c1f79 100644 --- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json index aa9c955df1..9b1d0a304b 100644 --- a/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_700f332f-d515-4bc5-8a62-49fa5f2c9206_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco IOS router and switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json index 7e69009d6b..ba70bd2a3f 100644 --- a/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_70c5c3db-fae8-4825-8d8b-08d6315e1ef6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Files [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-17530 Apache Struts RCE, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-11510 Pulse Secure Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Files [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json index a6549fe649..2495f88aac 100644 --- a/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_79029ef9-e5d3-44f3-b70f-fd3b54ba1fe4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, CMSTP Execution, MavInject Process Injection, xWizard Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Stormshield SNS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Change Default File Association, New DLL Added To AppCertDlls Registry Key, Control Panel Items"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json index 0d98e7d960..95a626395f 100644 --- a/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7a12aa3b-ec73-4ebb-8fb3-f7c543fd84a5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ivanti / Pulse Connect Secure", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json index 37891ab9a0..865cfbb96f 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json index 175f970715..e70dc312e5 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b75d498-4a65-4d44-aa81-31090d723a60_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Varonis Data Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Varonis Data Security Email Alert"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json index 9c37af6329..d90afb7f3f 100644 --- a/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_80b8382e-0667-4469-bbc9-74be1e0ca1c1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Always On VPN", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json index da922a3b0c..b2093580ca 100644 --- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Outside Collaborator Detected, GitHub New Organization Member"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub New Organization Member"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json index 0ccda8b8e3..2dca3ae869 100644 --- a/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_838ed6e5-6d5e-4a5b-b079-ab35ac6b2ab9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade Cloud", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json index 55f14fdecc..37a7aeb87f 100644 --- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json index 3d166cfe82..9b1ce8e9c3 100644 --- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ManageEngine ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ManageEngine ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json index 490a3376b6..487656ad31 100644 --- a/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8a9894f8-d7bc-4c06-b96a-8808b3c6cade_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco ISE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Cisco Identity Services Engine Configuration Changed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json index 63ee30f633..5e1c75d2bb 100644 --- a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Windows Update LolBins, SolarWinds Suspicious File Creation, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Trickbot Malware Activity, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, STRRAT Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious Outlook Child Process, Trickbot Malware Activity, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json index bc67d67453..c00a6db06a 100644 --- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, TEHTRIS EDR Alert, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, CMSTP Execution, MavInject Process Injection, xWizard Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, TEHTRIS EDR Alert, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Cron Files Alteration, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, TEHTRIS EDR Alert, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json index cd4c3085d7..69b205f91c 100644 --- a/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_903ec1b8-f206-4ba5-8563-db21da09cafd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Palo Alto NGFW", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json index 6ca90b7abc..a940919cfe 100644 --- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Suspicious LDAP-Attributes Used, Koadic MSHTML Command, Sliver DNS Beaconing, Covenant Default HTTP Beaconing, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Python HTTP Server, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Audit CVE Event, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Suspicious Outlook Child Process, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, Microsoft Defender Antivirus Threat Detected, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Cobalt Strike Default Beacons Names, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, HarfangLab EDR Process Execution Blocked (HL-AI engine), Sysmon Windows File Block Executable, Download Files From Suspicious TLDs, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Exploit For CVE-2015-1641, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, IcedID Execution Using Excel, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Python HTTP Server, Covenant Default HTTP Beaconing, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Execution From Suspicious Folder, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Antivirus Web Shell Detection, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, Antivirus Web Shell Detection, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Network Connection Via Certutil, Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Potential DNS Tunnel, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, Suspicious TOR Gateway"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Dynwrapx Module Loading, Address Space Layout Randomization (ASLR) Alteration, Wsmprovhost Wrong Parent, CreateRemoteThread Common Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Smss Wrong Parent, Malicious Named Pipe, Process Hollowing Detection, Process Herpaderping, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Cobalt Strike Named Pipes, MavInject Process Injection, Searchprotocolhost Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, StoneDrill Service Install, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, WMI Persistence Command Line Event Consumer, Chafer (APT 39) Activity, APT29 Fake Google Update Service Install, StoneDrill Service Install, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Cobalt Strike Default Service Creation Usage, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Metasploit PSExec Service Creation, Userinit Wrong Parent, Suspicious PsExec Execution, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Smbexec.py Service Installation, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Gpscript Suspicious Parent, Metasploit PSExec Service Creation, Userinit Wrong Parent, Suspicious PsExec Execution, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Malicious Service Installations, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Windows Update LolBins, SolarWinds Suspicious File Creation, Smbexec.py Service Installation, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Password Dumper Detection"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Eventlog Cleared, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Services, Fail2ban Unban IP, Netsh Port Opening, Microsoft Defender Antivirus Configuration Changed, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Ryuk Ransomware Command Line, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Suspect Svchost Memory Access, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Python Opening Ports, Netsh Allow Command, Powershell AMSI Bypass, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Disable Security Events Logging Adding Reg Key MiniNt"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Netsh RDP Port Opening, Disable Windows Defender Credential Guard, Microsoft Defender Antivirus Disable Services, Fail2ban Unban IP, Netsh Port Opening, Microsoft Defender Antivirus Configuration Changed, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Ryuk Ransomware Command Line, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Scheduled Tasks, NetNTLM Downgrade Attack, AMSI Deactivation Using Registry Key, Microsoft Malware Protection Engine Crash, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Credential Prompt, WMImplant Hack Tool, Powershell Web Request, Suspicious PowerShell Keywords, PowerShell EncodedCommand, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic, In-memory PowerShell, PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, Invoke-TheHash Commandlets, Turla Named Pipes, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Credential Prompt, WMImplant Hack Tool, Powershell Web Request, Suspicious PowerShell Keywords, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Generic, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, In-memory PowerShell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, Mustang Panda Dropper, Suspicious DLL Loaded Via Office Applications, Suspicious CodePage Switch with CHCP, Invoke-TheHash Commandlets, Turla Named Pipes, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Detection of default Mimikatz banner, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Scripting In A WMI Consumer, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, PowerShell Malicious PowerShell Commandlets, WMI DLL Loaded Via Office, Suspicious Outlook Child Process, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Trickbot Malware Activity, Malspam Execution Registering Malicious DLL, Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Venom Multi-hop Proxy agent detection, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Narrator Feedback-Hub Persistence, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Svchost Modification, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Narrator Feedback-Hub Persistence, Kernel Module Alteration, Ryuk Ransomware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Malware Persistence Registry Key, Svchost Modification, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Dumpert LSASS Process Dumper, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes, DPAPI Domain Backup Key Extraction, Mimikatz Basic Commands, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Cmdkey Cached Credentials Recon, Malicious Service Installations, HackTools Suspicious Names, Lsass Access Through WinRM, HackTools Suspicious Process Names In Command Line, Credential Dumping By LaZagne, Process Memory Dump Using Comsvcs, Transfering Files With Credential Data Via Network Shares, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, NetNTLM Downgrade Attack, Active Directory Replication from Non Machine Account, LSASS Memory Dump File Creation, NTDS.dit File Interaction Through Command Line, Cred Dump Tools Dropped Files, SAM Registry Hive Handle Request, LSASS Memory Dump, Active Directory Database Dump Via Ntdsutil, RedMimicry Winnti Playbook Dropped File, LSASS Access From Non System Account, DCSync Attack, Unsigned Image Loaded Into LSASS Process, Windows Credential Editor Registry Key, Impacket Secretsdump.py Tool, Process Trace Alteration, Credential Dumping Tools Service Execution, Password Dumper Activity On LSASS, Process Memory Dump Using Createdump, Suspicious SAM Dump, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Mustang Panda Dropper, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Credential Dumping-Tools Common Named Pipes, Mimikatz LSASS Memory Access, Cred Dump Tools Dropped Files, LSASS Memory Dump, Credential Dumping Tools Service Execution, Lsass Access Through WinRM, Password Dumper Activity On LSASS, Unsigned Image Loaded Into LSASS Process, Process Memory Dump Using Createdump, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, Process Memory Dump Using Rdrleakdiag, LSASS Access From Non System Account, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, LSASS Memory Dump File Creation"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Impacket Secretsdump.py Tool, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, SAM Registry Hive Handle Request, Suspicious SAM Dump, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Grabbing Sensitive Hives Via Reg Utility, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Admin Share Access, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, Lsass Access Through WinRM, MMC Spawning Windows Shell, Remote Service Activity Via SVCCTL Named Pipe, RDP Login From Localhost, RDP Port Change Using Powershell, Smbexec.py Service Installation, Lateral Movement - Remote Named Pipe, Admin Share Access, Denied Access To Remote Desktop, MMC20 Lateral Movement, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory, Active Directory Database Dump Via Ntdsutil, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, AdFind Usage, Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Python Opening Ports, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Register New Logon Process, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Suspicious Outbound Kerberos Connection"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Audit CVE Event, Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 2, PowerView commandlets 1, SCM Database Privileged Operation"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Remote Privileged Group Enumeration, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, WMI DLL Loaded Via Office, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious DLL Loaded Via Office Applications, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Werfault DLL Injection, Suspicious DLL side loading from ProgramData, DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: GPO Executable Delivery, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, STRRAT Scheduled Task, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: User Added to Local Administrators, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Active Directory Delegate To KRBTGT Service, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Privileged AD Builtin Group Modified, Mimikatz Basic Commands"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Dynwrapx Module Loading, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll, Suspicious Desktopimgdownldr Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Suspicious New Printer Ports In Registry, FlowCloud Malware, RedMimicry Winnti Playbook Registry Manipulation, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, RDP Port Change Using Powershell, Remote Registry Management Using Reg Utility, Suspicious Desktopimgdownldr Execution, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified, Computer Account Deleted"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Remote Registry Management Using Reg Utility, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, Secure Deletion With SDelete, OneNote Embedded File, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled, Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Office Application Startup Office Test, Microsoft Office Startup Add-In"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Dynwrapx Module Loading"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Putty Sessions Listing, Suspicious Taskkill Command, SysKey Registry Keys Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Suspicious PowerShell Keywords, Turla Named Pipes, PowerShell Downgrade Attack, In-memory PowerShell, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious Taskkill Command, PowerShell Credential Prompt, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Detection of default Mimikatz banner, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, Suspicious VBS Execution Parameter, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Suspicious Outlook Child Process, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Elise Backdoor, Suspicious PowerShell Keywords, Turla Named Pipes, Sysprep On AppData Folder, PowerShell Downgrade Attack, In-memory PowerShell, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke Expression With Registry, Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Threat Detected, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious Taskkill Command, Suspicious Scripting In A WMI Consumer, PowerShell Credential Prompt, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, WMI DLL Loaded Via Office, Alternate PowerShell Hosts Pipe, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, WMImplant Hack Tool, Suspicious DLL Loaded Via Office Applications, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Detection of default Mimikatz banner, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Malspam Execution Registering Malicious DLL, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Creation or Modification of a GPO Scheduled Task, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Transfering Files With Credential Data Via Network Shares, Malicious Service Installations, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, LSASS Access From Non System Account, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, SAM Registry Hive Handle Request, Mimikatz Basic Commands, NetNTLM Downgrade Attack, HackTools Suspicious Process Names In Command Line, DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Active Directory Replication from Non Machine Account, Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Windows Credential Editor Registry Key, Active Directory Database Dump Via Ntdsutil, Mimikatz LSASS Memory Access, Cmdkey Cached Credentials Recon, Unsigned Image Loaded Into LSASS Process, HackTools Suspicious Names, Copying Browser Files With Credentials, Lsass Access Through WinRM, Wdigest Enable UseLogonCredential, WCE wceaux.dll Creation, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, LSASS Memory Dump, Rubeus Tool Command-line, Suspicious SAM Dump, Password Dumper Activity On LSASS, DCSync Attack, LSASS Memory Dump File Creation, RedMimicry Winnti Playbook Dropped File, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, LSASS Access From Non System Account, Password Dumper Activity On LSASS, Credential Dumping Tools Service Execution, Credential Dumping By LaZagne, Dumpert LSASS Process Dumper, Windows Credential Editor Registry Key, Load Of dbghelp/dbgcore DLL From Suspicious Process, LSASS Memory Dump File Creation, Process Memory Dump Using Createdump, Mimikatz LSASS Memory Access, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Lsass Access Through WinRM, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMI DLL Loaded Via Office, WMIC Uninstall Product, WMImplant Hack Tool, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Dynwrapx Module Loading, Suspicious Regsvr32 Execution, SquirrelWaffle Malspam Execution Loading DLL, Mshta JavaScript Execution, Suspicious Desktopimgdownldr Execution, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, IcedID Execution Using Excel, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Dynwrapx Module Loading, MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, Svchost Wrong Parent, Dynwrapx Module Loading, Malicious Named Pipe, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Wmiprvse Wrong Parent, Taskhostw Wrong Parent, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Searchindexer Wrong Parent, Process Hollowing Detection, Cobalt Strike Named Pipes, Process Herpaderping"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Mustang Panda Dropper, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product, Malspam Execution Registering Malicious DLL"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, WMI DLL Loaded Via Office, Suspicious CodePage Switch with CHCP, Malspam Execution Registering Malicious DLL, Suspicious DLL Loaded Via Office Applications, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, GPO Executable Delivery, Domain Trust Created Or Removed, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Legitimate Process Execution From Unusual Folder, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Werfault DLL Injection, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, Windows Registry Persistence COM Search Order Hijacking, DNS ServerLevelPluginDll Installation, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Suspicious DLL side loading from ProgramData, Svchost DLL Search Order Hijack, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disable Task Manager Through Registry Key, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Disable Windows Defender Credential Guard, AMSI Deactivation Using Registry Key, Debugging Software Deactivation, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Suspect Svchost Memory Access, TrustedInstaller Impersonation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Python Opening Ports, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked (HL-AI engine), Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked (HL-AI engine), Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Hlai Engine Detection, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Non-Legitimate TLDs, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Low Level Rule Detection, Explorer Process Executing HTA File, Microsoft Defender Antivirus Threat Detected, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, Winword Document Droppers, Suspicious DLL Loaded Via Office Applications, Cobalt Strike Default Beacons Names, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, HarfangLab EDR Critical Level Rule Detection, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Suspicious Process Behavior Has Been Detected"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Malspam Execution Registering Malicious DLL, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Exploit For CVE-2015-1641, Antivirus Relevant File Paths Alerts, Msdt (Follina) File Browse Process Execution, Suspicious HWP Child Process, Suspicious New Printer Ports In Registry, Audit CVE Event, Download Files From Suspicious TLDs"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Suspicious Outbound Kerberos Connection, Rubeus Register New Logon Process, Possible Replay Attack, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk, Antivirus Exploitation Framework Detection, Antivirus Password Dumper Detection"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write, WMI Event Subscription"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, WMI Event Subscription, Suspicious Scripting In A WMI Consumer, Suspicious Netsh DLL Persistence, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Active Directory Replication User Backdoor, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Active Directory User Backdoors, Mimikatz Basic Commands, Active Directory Delegate To KRBTGT Service, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, DNS ServerLevelPluginDll Installation, Disable Workstation Lock, Chafer (APT 39) Activity, FlowCloud Malware, RDP Port Change Using Powershell, Suspicious New Printer Ports In Registry, NetNTLM Downgrade Attack, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2, SCM Database Handle Failure"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key, Autorun Keys Modification, Svchost Modification, Powershell Winlogon Helper DLL, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, NjRat Registry Changes, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Covenant Default HTTP Beaconing, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Sliver DNS Beaconing, Suspicious LDAP-Attributes Used, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Covenant Default HTTP Beaconing, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Chafer (APT 39) Activity, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Remote Registry Management Using Reg Utility, SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, RDP Login From Localhost, Cobalt Strike Default Service Creation Usage, MMC Spawning Windows Shell, Denied Access To Remote Desktop, RDP Port Change Using Powershell, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, MMC20 Lateral Movement, Lsass Access Through WinRM, Protected Storage Service Access"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Lsass Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Cobalt Strike Default Service Creation Usage, SolarWinds Wrong Child Process, Lsass Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Taskhostw Wrong Parent, APT29 Fake Google Update Service Install, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Csrss Child Found, Winword wrong parent, Suspicious PsExec Execution, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Gpscript Suspicious Parent, Svchost Wrong Parent, WMI Persistence Command Line Event Consumer, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Metasploit PSExec Service Creation, Taskhost Wrong Parent, Dllhost Wrong Parent, Credential Dumping Tools Service Execution, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Suspicious PsExec Execution, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Registry Checked For Lanmanserver DisableCompression Parameter, Audit CVE Event"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Svchost Modification, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes, Copying Sensitive Files With Credential Data, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Impacket Secretsdump.py Tool, Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, NetNTLM Downgrade Attack, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Suspicious PROCEXP152.sys File Created In Tmp, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, TrustedInstaller Impersonation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Exclusion Configuration, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, GitLab CVE-2021-22205, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted, Secure Deletion With SDelete"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cred Dump Tools Dropped Files, Credential Dumping-Tools Common Named Pipes, Credential Dumping Tools Service Execution, Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, User Added to Local Administrators, Admin User RDP Remote Logon, Denied Access To Remote Desktop, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Eventlog Cleared, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Secure Deletion With SDelete, OneNote Embedded File, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Antivirus Web Shell Detection, Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, PowerView commandlets 2, PowerView commandlets 1, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command, Python Opening Ports"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname, Suspicious TOR Gateway"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, PowerView commandlets 1, AdFind Usage, Trickbot Malware Activity, Phosphorus Domain Controller Discovery, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, TUN/TAP Driver Installation, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious New Printer Ports In Registry, Audit CVE Event"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Lateral Movement - Remote Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access, Remote Service Activity Via SVCCTL Named Pipe, Protected Storage Service Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: WMIC Loading Scripting Libraries, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Credential Dumping Tools Service Execution, DCSync Attack, Active Directory Replication from Non Machine Account"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: EvilProxy Phishing Domain, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json index 559c911176..5dec0f77ca 100644 --- a/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_98fa7079-41ae-4033-a93f-bbd70d114188_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Critical Alert, Darktrace Threat Visualizer Model Breach Suspicious Alert"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Darktrace Threat Visualizer [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Darktrace Threat Visualizer Model Breach Suspicious Alert, Darktrace Threat Visualizer Model Breach Critical Alert"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json index ab67a1a718..b0385e4258 100644 --- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json index 102d28d547..6282123f20 100644 --- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Trickbot Malware Activity, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Rare Logonui Child Found, New Service Creation, Rare Lsass Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Rare Logonui Child Found, New Service Creation, Rare Lsass Child Found, Explorer Wrong Parent, SolarWinds Wrong Child Process, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Suspicious DNS Child Process, Usage Of Sysinternals Tools, Rare Logonui Child Found, Rare Lsass Child Found, PsExec Process, SolarWinds Wrong Child Process, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchprotocolhost Child Found, Windows Update LolBins, SolarWinds Suspicious File Creation, Suspicious DNS Child Process, Usage Of Sysinternals Tools, Rare Logonui Child Found, Rare Lsass Child Found, PsExec Process, SolarWinds Wrong Child Process, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Procdump With Common Arguments, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration, Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious Outlook Child Process, Trickbot Malware Activity, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Netsh Port Forwarding, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Rare Logonui Child Found, Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Child Found, New Service Creation, Rare Logonui Child Found, Winword wrong parent, Explorer Wrong Parent, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Child Found"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Child Found, Usage Of Procdump With Common Arguments, Winword wrong parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Suspicious DNS Child Process, Searchprotocolhost Child Found"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Child Found, Windows Update LolBins, Usage Of Procdump With Common Arguments, Winword wrong parent, Rare Logonui Child Found, SolarWinds Wrong Child Process, Searchprotocolhost Child Found, PsExec Process, Taskhost or Taskhostw Suspicious Child Found, Rare Lsass Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Suspicious DNS Child Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, Kernel Module Alteration"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json index c866ec0cc7..b8269ea0ad 100644 --- a/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9f47aa9f-52d7-4849-9462-cf7fc8bcd51a_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Claroty xDome [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Claroty xDome [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json index b4958ba8ac..7c4ce482d6 100644 --- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Cybereason EDR Alert, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Cybereason EDR Alert, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json index b83363fd38..41aed1ff84 100644 --- a/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a0716ffd-5f9e-4b97-add4-30f1870e3d03_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netskope Transaction Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netskope Transaction Events [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json index 4537e18e36..68bd92a975 100644 --- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default POST Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json index 1da576113b..d8d96d8ac0 100644 --- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json index 99d16523d6..27b89ba621 100644 --- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json index 0130583671..179b75da1c 100644 --- a/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_aeb7d407-db57-44b2-90b6-7df6738d5d7f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x FreeRADIUS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1110.001", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: FreeRADIUS Failed Authentication"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json index 6f321f571a..aebd73b402 100644 --- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Creation, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Cron Files Alteration"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, CMSTP Execution, MavInject Process Injection, xWizard Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Cron Files Alteration, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json index 500fc7aafe..85b336ab58 100644 --- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json index 2d2ad45c89..4f22c057b1 100644 --- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json index ed350f4e61..0e9910de13 100644 --- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json index af7936bdbc..4766f2a394 100644 --- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json index c942f4264a..08cc362580 100644 --- a/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bf8867ee-43b7-444c-9475-a7f43754ab6d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vectra Cognito Detect", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Vectra General Threat Detection"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json index 5b273f4f9a..103a8b7a22 100644 --- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Suspicious Windows DNS Queries, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Chafer (APT 39) Activity, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Winrshost Wrong Parent, Rare Logonui Child Found, Csrss Wrong Parent, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Wininit Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Windows Update LolBins, SolarWinds Suspicious File Creation, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Netsh RDP Port Opening, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Services, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, SELinux Disabling, Netsh Program Allowed With Suspicious Location, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Tampering Detected, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Disable .NET ETW Through COMPlus_ETWEnabled, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Powershell AMSI Bypass, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, TrustedInstaller Impersonation, Netsh RDP Port Opening, Microsoft Defender Antivirus Disable Services, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, SELinux Disabling, Netsh Program Allowed With Suspicious Location, Windows Defender Deactivation Using PowerShell Script, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, FromBase64String Command Line, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Credential Prompt, WMImplant Hack Tool, Powershell Web Request, Suspicious PowerShell Keywords, PowerShell EncodedCommand, PowerShell Download From URL, Suspicious PowerShell Invocations - Generic, PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, Invoke-TheHash Commandlets, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line, Mshta Suspicious Child Process, PowerShell Malicious PowerShell Commandlets, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: PowerShell Credential Prompt, WMImplant Hack Tool, Powershell Web Request, Socat Reverse Shell Detection, Suspicious PowerShell Keywords, QakBot Process Creation, Interactive Terminal Spawned via Python, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, Suspicious PowerShell Invocations - Generic, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, PowerShell - NTFS Alternate Data Stream, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Invoke-TheHash Commandlets, FromBase64String Command Line, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Microsoft Defender Antivirus Threat Detected, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious XOR Encoded PowerShell Command Line, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Microsoft Office Creating Suspicious File, PowerShell Malicious PowerShell Commandlets, Trickbot Malware Activity, Suspicious Outlook Child Process, PowerShell Invoke Expression With Registry, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Admin User RDP Remote Logon, Account Removed From A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, HackTools Suspicious Names, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Createdump, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, AdFind Usage, Phosphorus Domain Controller Discovery, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, Cobalt Strike Default Beacons Names, Microsoft Office Spawning Script, Suspicious Outlook Child Process, MS Office Product Spawning Exe in User Dir, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Sysmon Windows File Block Executable, Microsoft Defender Antivirus Threat Detected, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Bloodhound and Sharphound Tools Usage, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 2"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMImplant Hack Tool, Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, DHCP Server Error Failed Loading the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, STRRAT Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent, RTLO Character, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious Rundll32.exe Execution, IcedID Execution Using Excel, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, RDP Login From Localhost, MMC20 Lateral Movement"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Scanning and Discovery"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Msdt (Follina) File Browse Process Execution, Suspicious HWP Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation, User Account Created"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, FromBase64String Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Suspicious PowerShell Keywords, PowerShell Downgrade Attack, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke Expression With Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious Taskkill Command, PowerShell Credential Prompt, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMImplant Hack Tool, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Mshta Suspicious Child Process, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, PowerShell Download From URL"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Invoke-TheHash Commandlets, Suspicious VBS Execution Parameter, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, PowerShell Malicious PowerShell Commandlets, FromBase64String Command Line, Suspicious Outlook Child Process, Trickbot Malware Activity, Venom Multi-hop Proxy agent detection, Elise Backdoor, Suspicious PowerShell Keywords, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell Invoke Expression With Registry, Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Microsoft Defender Antivirus Threat Detected, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Malicious PowerShell Keywords, Suspicious Taskkill Command, PowerShell Credential Prompt, Socat Relaying Socket, PowerShell - NTFS Alternate Data Stream, Powershell Web Request, Socat Reverse Shell Detection, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, WMImplant Hack Tool, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Suspicious PowerShell Invocations - Generic, Microsoft Office Creating Suspicious File, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Cron Files Alteration, Chafer (APT 39) Activity, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Windows Credential Editor Registry Key, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, HackTools Suspicious Names, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Invoke-TheHash Commandlets, WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, WMImplant Hack Tool, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, RTLO Character, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Microsoft Office Creating Suspicious File, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Winword Document Droppers, Microsoft Defender Antivirus Threat Detected, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, Sysmon Windows File Block Executable, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Potential DNS Tunnel, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Suspicious desktop.ini Action, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, Disable Workstation Lock, Chafer (APT 39) Activity, FlowCloud Malware"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Microsoft Defender Antivirus Tampering Detected, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Powershell AMSI Bypass, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, TrustedInstaller Impersonation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Disable .NET ETW Through COMPlus_ETWEnabled, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Chafer (APT 39) Activity, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Microsoft Defender Antivirus Threat Detected, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Wininit Wrong Parent, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Login From Localhost, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable SecurityHealth, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, TrustedInstaller Impersonation, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Services"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Admin User RDP Remote Logon, Failed Logon Source From Public IP Addresses, Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus Tampering Detected, Erase Shell History, High Privileges Network Share Removal, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: Network Share Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, Exploiting SetupComplete.cmd CVE-2019-1378, Linux Shared Lib Injection Via Ldso Preload, DHCP Server Loaded the CallOut DLL, Dynamic Linker Hijacking From Environment Variable, DNS Server Error Failed Loading The ServerLevelPluginDLL, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups, Stop Backup Services"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Powershell AMSI Bypass, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, PowerView commandlets 1"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, PowerView commandlets 2, PowerView commandlets 1, AdFind Usage, Trickbot Malware Activity, Phosphorus Domain Controller Discovery, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Potential DNS Tunnel, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Loaded the CallOut DLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account, SSH Authorized Key Alteration"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1590", "score": 100, "comment": "Rules: Adidnsdump Enumeration"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery, PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Certify Or Certipy, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json index cb5c407359..fe94dc51ce 100644 --- a/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c20528c1-621e-4959-83ba-652eca2e8ed0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Intune", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Intune Policy Change"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Microsoft Intune Non-Compliant Device"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json index bf8d6d8003..4cd1fe995a 100644 --- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) AtpDetection, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Mass Download By A Single User, Possible Malicious File Double Extension, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) DLP Policy Removed, Suspicious Double Extension, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) Unusual Volume Of File Deletion"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) AtpDetection, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Unusual Volume Of File Deletion"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Possible Malicious File Double Extension, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Safelinks Disabled, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) DLP Policy Removed, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) MCAS Inbox Hiding, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Safelinks Disabled"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json index 74d6ecb7cb..63145da572 100644 --- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json index da3dd79d6c..981f4aade1 100644 --- a/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d14567dd-56b1-42f8-aa64-fb65d4b0a4cf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway Network [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json index 93bafd8f6b..278a4599c9 100644 --- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Cobalt Strike HTTP Default POST Beaconing, LokiBot Default C2 URL, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json index 5273db0acf..261a49c551 100644 --- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail Route 53 Domain Transfer Lock Disabled"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change, AWS CloudTrail EventBridge Rule Disabled Or Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Remove Flow logs, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail EC2 Security Group Modified"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail EC2 Subnet Deleted"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail Important Change, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail Disable MFA, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail Important Change, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail RDS DB Cluster/Instance Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Change Master Password, AWS CloudTrail RDS Public DB Restore"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail Root ConsoleLogin, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail IAM Failed User Creation, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Policy Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json index 7c83c2aeb6..c11adb7887 100644 --- a/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d626fec3-473a-44b3-9e3d-587fdd99a421_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Potential Lemon Duck User-Agent, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom Secure Web Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json index 2f86b1ac0e..51d82f8ada 100644 --- a/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d6d15297-e977-4584-9bb3-f0290b99f014_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ArubaOS Switch", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json index e8a821d58a..b54f4f23bb 100644 --- a/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d6f69e04-6ab7-40c0-9723-84060aeb5529_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Rubycat PROVE IT", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Rubycat PROVEIT Admin Service Modified"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json index 9e330e8b7d..8e71cb923f 100644 --- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json index a36b284367..1b1ce60c16 100644 --- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, TrevorC2 HTTP Communication, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Bazar Loader User-Agents, TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json index b24c35a75b..ecc55318a3 100644 --- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json index 5c01706bd7..80b19021cb 100644 --- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, Sliver DNS Beaconing, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, Sliver DNS Beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cobalt Strike HTTP Default GET beaconing, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Cobalt Strike HTTP Default POST Beaconing, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json index d390a3d03e..32eae00fe7 100644 --- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json index 94d3f322e8..6577f38179 100644 --- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json index 04696353cc..40f5c0bbce 100644 --- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Malware Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Scam Detected By Vade For M365 And Not Blocked, Spearphishing (CEO Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json index a29f70d0ab..3189a9f3b0 100644 --- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Blacklist Manipulations, Okta Security Threat Configuration Updated, Okta Network Zone Deleted, Okta Network Zone Modified, Okta Network Zone Deactivated, Okta MFA Disabled"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta User Account Deactivated, Okta Application modified, Okta User Impersonation Access, Okta Admin Privilege Granted, Okta Application deleted"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deleted, Okta Network Zone Deactivated"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Application modified, Okta User Impersonation Access, Okta User Account Deactivated, Okta Admin Privilege Granted, Okta Application deleted"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deactivated, Okta Network Zone Deleted"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Blacklist Manipulations, Okta Network Zone Modified, Okta MFA Disabled, Okta Network Zone Deleted, Okta Security Threat Configuration Updated, Okta Network Zone Deactivated"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json index 28e422c80b..49a841f73c 100644 --- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, SELinux Disabling, Microsoft Defender Antivirus Disable Scheduled Tasks, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, Default Encoding To UTF-8 PowerShell, PowerShell Downgrade Attack, Suspicious Taskkill Command, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, Socat Reverse Shell Detection, Interactive Terminal Spawned via Python, PowerShell EncodedCommand, Suspicious VBS Execution Parameter, Lazarus Loaders, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Microsoft Office Creating Suspicious File, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Elise Backdoor, PowerShell Downgrade Attack, Python Offensive Tools and Packages"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Elise Backdoor, Phorpiex DriveMgr Command, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, WCE wceaux.dll Creation, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Comsvcs, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Mshta Execution, Control Panel Items, PowerShell Execution Via Rundll32, Explorer Process Executing HTA File, Suspicious Rundll32.exe Execution, CMSTP Execution, MavInject Process Injection, xWizard Execution, Suspicious Windows Installer Execution, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Mshta JavaScript Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, PowerCat Function Loading"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, SOCKS Tunneling Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Python Offensive Tools and Packages, Lazarus Loaders, Venom Multi-hop Proxy agent detection, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, Linux Bash Reverse Shell, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Socat Relaying Socket, Socat Reverse Shell Detection, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Interactive Terminal Spawned via Python, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Microsoft Office Creating Suspicious File, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, HackTools Suspicious Process Names In Command Line"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Wmic Service Call, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, MalwareBytes Uninstallation, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter, Microsoft Office Creating Suspicious File, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, IIS Module Installation Using AppCmd, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Equation Group DLL_U Load, Mshta JavaScript Execution, CMSTP Execution, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Empire Monkey Activity, PowerShell Execution Via Rundll32, Control Panel Items, MavInject Process Injection, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, Suspicious DLL Loading By Ordinal, AccCheckConsole Executing Dll, Suspicious Mshta Execution, xWizard Execution, Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Socat Relaying Socket, Socat Reverse Shell Detection, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection, Ngrok Process Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Disabled Service, Netsh RDP Port Forwarding, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, SELinux Disabling, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Double Extension"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection, Socat Relaying Socket"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Suspicious Finger Usage, Suspicious certutil command, Rclone Process"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json index 19e5ef16a4..22844c2c6d 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json index 72d5badb17..2686d4ba9e 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Computer Account Deleted"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Computer Account Deleted, User Account Deleted"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json index d1fdf275fa..bf3978d09e 100644 --- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-21985 VMware vCenter, CVE-2018-11776 Apache Struts2"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-0604 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2018-11776 Apache Struts2, CVE-2021-21985 VMware vCenter, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-1147 SharePoint, CVE-2021-21972 VMware vCenter"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json index 4f0c35ec8d..d7f8a2a305 100644 --- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-21985 VMware vCenter, CVE-2019-11510 Pulse Secure Exploit, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-26855 Exchange SSRF, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2019-0604 SharePoint, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2019-19781 Citrix NetScaler (ADC)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2019-11510 Pulse Secure Exploit, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, GitLab CVE-2021-22205, CVE-2021-43798 Grafana Directory Traversal, CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2018-13379 Fortinet Exploit, CVE-2018-11776 Apache Struts2, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-26855 Exchange SSRF, CVE-2020-17530 Apache Struts RCE, CVE-2021-21985 VMware vCenter, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, FoggyWeb HTTP Default GET/POST Requests, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, LokiBot Default C2 URL, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json index e783cec694..7486514ea2 100644 --- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Stormshield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, DNS Exfiltration and Tunneling Tools Execution, Python HTTP Server, Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Winword Document Droppers, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, IcedID Execution Using Excel, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Possible Malicious File Double Extension, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Exploit For CVE-2017-0261 Or CVE-2017-0262, AutoIt3 Execution From Suspicious Folder, Explorer Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, IIS Module Installation Using AppCmd, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant, Rclone Process, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Svchost Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Taskhost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Searchindexer Wrong Parent, Logonui Wrong Parent, Smss Wrong Parent, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Explorer Wrong Parent, Taskhost Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wsmprovhost Wrong Parent, Svchost Wrong Parent, Userinit Wrong Parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Searchindexer Wrong Parent, Usage Of Sysinternals Tools, Logonui Wrong Parent, Smss Wrong Parent, Suspicious DNS Child Process, Csrss Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Spoolsv Wrong Parent, Taskhostw Wrong Parent, SolarWinds Wrong Child Process, PsExec Process, Dllhost Wrong Parent, Searchprotocolhost Child Found, Searchprotocolhost Wrong Parent, Winword wrong parent, Windows Update LolBins, Lsass Wrong Parent, Rare Lsass Child Found, OneNote Suspicious Children Process, Wmiprvse Wrong Parent"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Clear EventLogs Through CommandLine, High Privileges Network Share Removal"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, ETW Tampering, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allowed Python Program, Clear EventLogs Through CommandLine, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Allow Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, Fail2ban Unban IP, Netsh Port Opening, Address Space Layout Randomization (ASLR) Alteration, Disabled IE Security Features, Debugging Software Deactivation, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Raccine Uninstall, Netsh Port Forwarding, Suspicious Driver Loaded, Netsh Program Allowed With Suspicious Location, Package Manager Alteration, Microsoft Defender Antivirus Disable Scheduled Tasks, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Netsh RDP Port Forwarding, WMIC Uninstall Product, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Mshta Execution, Suspicious certutil command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Powershell Web Request, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Taskkill Command, PowerShell EncodedCommand, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Powershell Web Request, QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, PowerShell EncodedCommand, Lazarus Loaders, PowerShell Download From URL, Suspicious Cmd.exe Command Line, XSL Script Processing And SquiblyTwo Attack, Linux Bash Reverse Shell, Phorpiex DriveMgr Command, Suspicious Windows Script Execution, Suspicious Taskkill Command, Suspicious CodePage Switch with CHCP, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Generic-reverse-shell-oneliner, Sysprep On AppData Folder, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, MalwareBytes Uninstallation, Suspicious PowerShell Invocations - Specific, Exploited CVE-2020-10189 Zoho ManageEngine, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, SquirrelWaffle Malspam Execution Loading DLL, Mshta Suspicious Child Process, Trickbot Malware Activity, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, AutoIt3 Execution From Suspicious Folder, Elise Backdoor, PowerShell Downgrade Attack"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Taskkill Command, Lazarus Loaders, MalwareBytes Uninstallation, Suspicious CodePage Switch with CHCP, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Elise Backdoor, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Copying Browser Files With Credentials"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Cmdkey Cached Credentials Recon, Process Trace Alteration, HackTools Suspicious Process Names In Command Line, Grabbing Sensitive Hives Via Reg Utility, Process Memory Dump Using Comsvcs, Rubeus Tool Command-line, Process Memory Dump Using Rdrleakdiag, Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh Port Forwarding, Netsh Port Opening, Netsh Allow Command, Netsh Program Allowed With Suspicious Location, Netsh Allowed Python Program, Windows Firewall Changes, Netsh RDP Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, WMI Install Of Binary, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, Wmic Service Call, Impacket Wmiexec Module, WMIC Uninstall Product"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: QakBot Process Creation, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, STRRAT Scheduled Task"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation, Schtasks Persistence With High Privileges, Spyware Persistence Using Schtasks, Blue Mockingbird Malware, Cron Files Alteration, STRRAT Scheduled Task"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Suspicious Taskkill Command, Suspicious Mshta Execution, Mshta JavaScript Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, Suspicious Control Process, Suspicious Regasm Regsvcs Usage, Suspicious Rundll32.exe Execution, Suspicious Windows Installer Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Taskkill Command, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, Suspicious DLL Loading By Ordinal, MOFComp Execution, Explorer Process Executing HTA File, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Mshta Execution, IcedID Execution Using Excel, CMSTP Execution, CertOC Loading Dll"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Container Credential Access, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Suspicious Control Process, Control Panel Items"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters, RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, Equation Group DLL_U Load, PowerShell Execution Via Rundll32, IcedID Execution Using Excel, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, FlowCloud Malware, Blue Mockingbird Malware, Disable Workstation Lock, RDP Sensitive Settings Changed, OceanLotus Registry Activity, Ursnif Registry Key"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, WiFi Credentials Harvesting Using Netsh, Network Sniffing Windows"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment, System Info Discovery, List Shadow Copies"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, Autorun Keys Modification"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Linux Shared Lib Injection Via Ldso Preload, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Stormshield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious Taskkill Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Powershell Web Request, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, DNS Exfiltration and Tunneling Tools Execution, PowerShell Downgrade Attack"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious VBS Execution Parameter, PowerShell Malicious Nishang PowerShell Commandlets, Lazarus Loaders, Suspicious Outlook Child Process, Trickbot Malware Activity, Elise Backdoor, Sysprep On AppData Folder, PowerShell Downgrade Attack, SquirrelWaffle Malspam Execution Loading DLL, Linux Bash Reverse Shell, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Generic-reverse-shell-oneliner, Suspicious CodePage Switch with CHCP, Default Encoding To UTF-8 PowerShell, Suspicious Taskkill Command, Powershell Web Request, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, AutoIt3 Execution From Suspicious Folder, DNS Exfiltration and Tunneling Tools Execution, PowerShell EncodedCommand, Mshta Suspicious Child Process, Phorpiex DriveMgr Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious PowerShell Invocations - Specific, Suspicious Windows Script Execution, PowerShell Download From URL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges, Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Cron Files Alteration, STRRAT Scheduled Task, Spyware Persistence Using Schtasks, Schtasks Suspicious Parent, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data, Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Windows Credential Editor Registry Key, Cmdkey Cached Credentials Recon, Rubeus Tool Command-line, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Permission Discovery Via Wmic, Bloodhound and Sharphound Tools Usage, Domain Group And Permission Enumeration"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, Linux Remove Immutable Attribute, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: WMI Install Of Binary, Blue Mockingbird Malware, Impacket Wmiexec Module, Wmic Service Call, Suspicious Mshta Execution From Wmi, WMIC Uninstall Product, Wmic Process Call Creation, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Taskkill Command, MalwareBytes Uninstallation, Exploiting SetupComplete.cmd CVE-2019-1378, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Suspicious CodePage Switch with CHCP, Elise Backdoor, WMIC Uninstall Product"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, Suspicious VBS Execution Parameter, Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Suspicious CodePage Switch with CHCP, Suspicious Windows Script Execution, XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Suspicious Cmd.exe Command Line, Formbook Hijacked Process Command, Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, AutoIt3 Execution From Suspicious Folder, Phorpiex Process Masquerading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Outlook Registry Access, Linux Suspicious Search, Adexplorer Usage, Opening Of a Password File, XCopy Suspicious Usage"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious Outlook Child Process, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Suspicious HWP Child Process, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Spawning Script, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Suspicious Outlook Child Process, Winword Document Droppers, Explorer Process Executing HTA File, Microsoft Office Product Spawning Windows Shell, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Equation Group DLL_U Load, SquirrelWaffle Malspam Execution Loading DLL, IcedID Execution Using Excel, Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Suspicious Rundll32.exe Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Regsvr32 Execution, Mshta JavaScript Execution, SquirrelWaffle Malspam Execution Loading DLL, CMSTP Execution, Suspicious Windows Installer Execution, Empire Monkey Activity, Explorer Process Executing HTA File, Suspicious Control Process, Suspicious DLL Loading By Ordinal, Suspicious Mshta Execution, Suspicious Rundll32.exe Execution, CMSTP UAC Bypass via COM Object Access, Suspicious Regasm Regsvcs Usage, Suspicious Taskkill Command, PowerShell Execution Via Rundll32, MOFComp Execution, MavInject Process Injection, CertOC Loading Dll, AccCheckConsole Executing Dll, xWizard Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, DNS Tunnel Technique From MuddyWater, Python HTTP Server, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, RDP Sensitive Settings Changed, Ursnif Registry Key, OceanLotus Registry Activity, Blue Mockingbird Malware, Disable Workstation Lock, FlowCloud Malware"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Mshta JavaScript Execution, Explorer Process Executing HTA File, Suspicious Taskkill Command"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Spoolsv Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection, Svchost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent, Wsmprovhost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wmiprvse Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, New Service Creation, OneNote Suspicious Children Process, Rare Logonui Child Found, Explorer Wrong Parent, Searchindexer Wrong Parent, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Csrss Child Found, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Csrss Wrong Parent, Winlogon wrong parent, Svchost Wrong Parent, Suspicious DNS Child Process, Wsmprovhost Wrong Parent, Wmiprvse Wrong Parent, Spoolsv Wrong Parent, Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, Lsass Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Searchprotocolhost Wrong Parent, Taskhost Wrong Parent, Dllhost Wrong Parent, OneNote Suspicious Children Process, Rare Logonui Child Found, Searchindexer Wrong Parent, PsExec Process, Suspicious Commands From MS SQL Server Shell, Userinit Wrong Parent, Csrss Child Found, Windows Update LolBins, Winword wrong parent, Taskhost or Taskhostw Suspicious Child Found, Logonui Wrong Parent, Usage Of Sysinternals Tools"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration, Security Support Provider (SSP) Added to LSA Configuration, RUN Registry Key Created From Suspicious Folder"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: NetSh Used To Disable Windows Firewall, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Netsh Port Forwarding, ETW Tampering, Disable Task Manager Through Registry Key, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Clear EventLogs Through CommandLine, Debugging Software Deactivation, AMSI Deactivation Using Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Fail2ban Unban IP, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Netsh RDP Port Opening, Microsoft Defender Antivirus Disabled Base64 Encoded, WMIC Uninstall Product, Package Manager Alteration, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Opening, Netsh Allowed Python Program, Suspicious Driver Loaded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Windows Firewall Changes"}, {"techniqueID": "T1526", "score": 100, "comment": "Rules: AzureEdge in Command Line"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Capture a network trace with netsh.exe, Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, ETW Tampering"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally, Linux Shared Lib Injection Via Ldso Preload, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, CMSTP Execution, MOFComp Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, PowerCat Function Loading, ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Inhibit System Recovery Deleting Backups, Suncrypt Parameters, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program, Netsh RDP Port Forwarding, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh Allow Command"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage, Trickbot Malware Activity, NlTest Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Mshta Execution"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Pandemic Windows Implant, Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, Powershell UploadString Function, Rclone Process"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Remote Monitoring and Management Software - AnyDesk"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, List Shadow Copies, Listing Systemd Environment, System Info Discovery"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1218.009", "score": 100, "comment": "Rules: Suspicious Regasm Regsvcs Usage"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: Linux Bash Reverse Shell"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1552.004", "score": 100, "comment": "Rules: Linux Suspicious Search"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Linux Shared Lib Injection Via Ldso Preload"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1610", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1611", "score": 100, "comment": "Rules: Docker Escape Bind Mount"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: Linux Remove Immutable Attribute"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json index c5997e02e2..746b93043f 100644 --- a/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_fc99c983-3e6c-448c-97e6-7e0948e12415_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS CloudFront [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS CloudFront [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md index 998a6107eb..12fdbe4834 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md @@ -2,6 +2,9 @@ Changelog _last update on 2024-01-31_ ## Changelog +### Svchost Wrong Parent + - 31/01/2024 - minor - Adding filters to reduce false positives + ### Inhibit System Recovery Deleting Backups - 31/01/2024 - minor - Improve selection filter @@ -26,12 +29,12 @@ Changelog _last update on 2024-01-31_ ### Legitimate Process Execution From Unusual Folder - 04/01/2024 - major - Rework filter selection with contains instead of re modifier -### Grabbing Sensitive Hives Via Reg Utility - - 02/01/2024 - minor - Rule was improved to have broader detection and filters were added. - ### Suspicious Driver Loaded - 02/01/2024 - minor - improve selection to avoid FP +### Grabbing Sensitive Hives Via Reg Utility + - 02/01/2024 - minor - Rule was improved to have broader detection and filters were added. + ### SolarWinds Wrong Child Process - 22/12/2023 - minor - Adding a child process name to the filter list to avoid some FPs @@ -50,17 +53,17 @@ Changelog _last update on 2024-01-31_ ### HTA Infection Chains - 30/11/2023 - minor - Update pattern with new lolbin +### PowerShell Download From URL + - 29/11/2023 - minor - Added a filter to the rule as some false positives were observed. + ### WMImplant Hack Tool - 29/11/2023 - minor - Added a selection to filter some false positives. -### NjRat Registry Changes - - 29/11/2023 - minor - Update regex pattern to insensitive case - ### Netsh Program Allowed With Suspicious Location - 29/11/2023 - minor - Update regex pattern to insensitive case -### PowerShell Download From URL - - 29/11/2023 - minor - Added a filter to the rule as some false positives were observed. +### NjRat Registry Changes + - 29/11/2023 - minor - Update regex pattern to insensitive case ### RDP Login From Localhost - 24/11/2023 - minor - Effort level changed to advanced. @@ -71,23 +74,26 @@ Changelog _last update on 2024-01-31_ ### TOR Usage Generic Rule - 22/11/2023 - minor - Adding filter to improve rule. +### WiFi Credentials Harvesting Using Netsh + - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was highly dependent on the environment. + ### Suspicious Double Extension - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment. ### AD Object WriteDAC Access - 21/11/2023 - minor - Rule's effort level has been changed to advanced as legitimate administrator actions can trigger the rule. -### WiFi Credentials Harvesting Using Netsh - - 21/11/2023 - minor - Rule's effort level has been changed to advanced as it was highly dependent on the environment. - ### PowerShell Credential Prompt - 20/11/2023 - minor - Rule's effort level has been changed to advanced as it was too dependent on the environment. +### AWS CloudTrail Remove Flow logs + - 15/11/2023 - minor - Changing effort level. + ### WAF Block Rule - 15/11/2023 - minor - Adding support for Ubika -### AWS CloudTrail Remove Flow logs - - 15/11/2023 - minor - Changing effort level. +### NTDS.dit File Interaction Through Command Line + - 08/11/2023 - minor - Added filter to reduce false positives ### ETW Tampering - 08/11/2023 - minor - Added filter to reduce false positives @@ -95,9 +101,6 @@ Changelog _last update on 2024-01-31_ ### Cobalt Strike Default Beacons Names - 08/11/2023 - minor - Added filter to reduce false positives -### NTDS.dit File Interaction Through Command Line - - 08/11/2023 - minor - Added filter to reduce false positives - ### AWS CloudTrail GuardDuty Detector Deleted - 08/11/2023 - minor - Added filter to reduce false positives @@ -119,15 +122,15 @@ Changelog _last update on 2024-01-31_ ### AdFind Usage - 12/10/2023 - minor - Slight change to a condition in order to reduce false positives. -### Microsoft 365 (Office 365) Unusual Volume Of File Deletion - - 09/10/2023 - major - Fix field names to match the current parser. - ### Microsoft 365 (Office 365) Potential Ransomware Activity Detected - 09/10/2023 - major - Fix field names to match the current parser. ### Microsoft 365 (Office 365) Mass Download By A Single User - 09/10/2023 - major - Fix field names to match the current parser. +### Microsoft 365 (Office 365) Unusual Volume Of File Deletion + - 09/10/2023 - major - Fix field names to match the current parser. + ### Login Brute-Force Successful - 06/10/2023 - minor - renaming and tunn filters to limit False Positive @@ -137,87 +140,84 @@ Changelog _last update on 2024-01-31_ ### Suspicious Regasm Regsvcs Usage - 27/09/2023 - major - Rule creation -### Suspicious Rundll32.exe Execution - - 21/09/2023 - minor - Extend to some usage without dll filename - ### UAC Bypass via Event Viewer - 21/09/2023 - minor - Improve filter to reduce false positives -### Searchprotocolhost Wrong Parent - - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation +### Suspicious Rundll32.exe Execution + - 21/09/2023 - minor - Extend to some usage without dll filename -### Wsmprovhost Wrong Parent +### Opening Of a Password File - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Wmiprvse Wrong Parent +### Searchprotocolhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Explorer Wrong Parent +### Wininit Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Searchindexer Wrong Parent +### Winlogon wrong parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Gpscript Suspicious Parent +### Smss Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Lsass Wrong Parent +### Winword wrong parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Taskhostw Wrong Parent +### Winrshost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Winlogon wrong parent +### Logonui Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Taskhost Wrong Parent +### Wmiprvse Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Winword wrong parent +### Dllhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Smss Wrong Parent +### Taskhostw Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Logonui Wrong Parent +### Explorer Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Wininit Wrong Parent +### Csrss Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Winrshost Wrong Parent +### Lsass Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Dllhost Wrong Parent +### Searchindexer Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Userinit Wrong Parent +### Spoolsv Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Csrss Wrong Parent +### Wsmprovhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Spoolsv Wrong Parent +### Gpscript Suspicious Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Opening Of a Password File +### Userinit Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Svchost Wrong Parent +### Taskhost Wrong Parent - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation -### Suspicious Network Args In Command Line - - 10/08/2023 - major - Added a list of suspicious processes to drastically reduce false positives. - ### MS Office Product Spawning Exe in User Dir - 10/08/2023 - minor - Rule modified and filter added to reduce false positives. -### Microsoft Defender Antivirus Exclusion Configuration - - 07/08/2023 - major - Considering the amount of false positives the rule effort has been changed to master. Furthermore a filter has been added. +### Suspicious Network Args In Command Line + - 10/08/2023 - major - Added a list of suspicious processes to drastically reduce false positives. ### Microsoft Defender Antivirus Tampering Detected - 07/08/2023 - minor - Rule effort changed from intermediate to advanced considering the number of false positives observed. +### Microsoft Defender Antivirus Exclusion Configuration + - 07/08/2023 - major - Considering the amount of false positives the rule effort has been changed to master. Furthermore a filter has been added. + ### Okta User Logged In Multiple Applications - 07/08/2023 - major - Switching type from event_count to value_count | Adding Target in order to match only on different Apps @@ -227,12 +227,12 @@ Changelog _last update on 2024-01-31_ ### Suspicious Windows DNS Queries - 02/08/2023 - minor - Added a new field and filters to reduce false positives. -### Account Tampering - Suspicious Failed Logon Reasons - - 01/08/2023 - minor - Similarity strategy for the rule has changed and is now based on the user.target.name field. - ### Wmic Process Call Creation - 01/08/2023 - major - Rewritten as a regex to reduce false positives +### Account Tampering - Suspicious Failed Logon Reasons + - 01/08/2023 - minor - Similarity strategy for the rule has changed and is now based on the user.target.name field. + ### Correlation Potential DNS Tunnel - 19/07/2023 - major - New regex pattern and new filters. @@ -254,10 +254,10 @@ Changelog _last update on 2024-01-31_ ### Msdt (Follina) File Browse Process Execution - 19/06/2023 - minor - Added filter to the rule to reduce false positives. -### Socat Reverse Shell Detection +### Socat Relaying Socket - 14/06/2023 - minor - Added filter to the rule to reduce false positives. -### Socat Relaying Socket +### Socat Reverse Shell Detection - 14/06/2023 - minor - Added filter to the rule to reduce false positives. ### Raccoon Stealer 2.0 Legitimate Third-Party DLL Download URL @@ -275,11 +275,14 @@ Changelog _last update on 2024-01-31_ ### Internet Scanner - 28/04/2023 - minor - Support for standard ECS FW fields +### Remote Privileged Group Enumeration + - 18/04/2023 - minor - Exclude events from the Local System session that cause false positives. + ### Audio Capture via PowerShell - 18/04/2023 - minor - Use more specific patterns to fix false positives. -### Remote Privileged Group Enumeration - - 18/04/2023 - minor - Exclude events from the Local System session that cause false positives. +### Active Directory User Backdoors + - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule. ### Mimikatz Basic Commands - 06/04/2023 - minor - Added a filter to the rule as many false positives were observed. @@ -287,9 +290,6 @@ Changelog _last update on 2024-01-31_ ### LSASS Memory Dump - 06/04/2023 - minor - Rule effort has been upgraded to master considering the number of different false positives the rule can trigger. -### Active Directory User Backdoors - - 06/04/2023 - minor - Removed a selection as it triggered too many false positives, and the detection was not part of the main goal of this rule. - ### Suspicious PowerShell Invocations - Generic - 28/03/2023 - minor - Excluded some commonly observed false positives. diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md index 0e909174a9..128611224e 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md @@ -3102,8 +3102,9 @@ Rules catalog includes **799 built-in detection rules** ([_last update on 2024-0 - **Changelog:** - - 04/07/2023 - major - Added filter to reduce false positives + - 04/07/2023 - minor - Added filter to reduce false positives - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation + - 31/01/2024 - minor - Adding filters to reduce false positives ??? abstract "TEHTRIS EDR Alert" @@ -4066,8 +4067,9 @@ Rules catalog includes **799 built-in detection rules** ([_last update on 2024-0 - **Changelog:** - - 04/07/2023 - major - Added filter to reduce false positives + - 04/07/2023 - minor - Added filter to reduce false positives - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation + - 31/01/2024 - minor - Adding filters to reduce false positives ??? abstract "Taskhost Wrong Parent" @@ -4660,8 +4662,9 @@ Rules catalog includes **799 built-in detection rules** ([_last update on 2024-0 - **Changelog:** - - 04/07/2023 - major - Added filter to reduce false positives + - 04/07/2023 - minor - Added filter to reduce false positives - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation + - 31/01/2024 - minor - Adding filters to reduce false positives ??? abstract "Taskhost Wrong Parent" @@ -5353,8 +5356,9 @@ Rules catalog includes **799 built-in detection rules** ([_last update on 2024-0 - **Changelog:** - - 04/07/2023 - major - Added filter to reduce false positives + - 04/07/2023 - minor - Added filter to reduce false positives - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation + - 31/01/2024 - minor - Adding filters to reduce false positives ??? abstract "Taskhost Wrong Parent" @@ -6092,8 +6096,9 @@ Rules catalog includes **799 built-in detection rules** ([_last update on 2024-0 - **Changelog:** - - 04/07/2023 - major - Added filter to reduce false positives + - 04/07/2023 - minor - Added filter to reduce false positives - 22/08/2023 - major - adding similarity strategy in order to avoid multiple alerts creation + - 31/01/2024 - minor - Adding filters to reduce false positives ??? abstract "Taskhost Wrong Parent" diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md index 91744b0d99..25154cbf97 100644 --- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md +++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md @@ -12,493 +12,502 @@ The colors of the EventIDs in this page should be interpreted as follow: ## Rules x Effort Level x EventIDs x Event Providers | Rule Name | Effort Level | EventIDs | Event Providers | | --------- | ------------ | -------- | --------------- | -| DNS ServerLevelPluginDll Installation | master | 1, 13 | Microsoft-Windows-Sysmon | -| Suspicious PsExec Execution | master | 5145 | Microsoft-Windows-Security-Auditing | +| Usage Of Sysinternals Tools | master | 1, 13 | Microsoft-Windows-Sysmon | +| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service | +| Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 | | +| Net.exe User Account Creation | master | 1 | Microsoft-Windows-Sysmon | | Microsoft 365 (Office 365) MCAS New Country | master | 98 | | -| Admin User RDP Remote Logon | master | 4624 | Microsoft-Windows-Security-Auditing | -| Autorun Keys Modification | master | 12 | Microsoft-Windows-Sysmon | -| Account Removed From A Security Enabled Group | master | 4729 | Microsoft-Windows-Security-Auditing | -| AD Privileged Users Or Groups Reconnaissance | master | 4661 | Microsoft-Windows-Security-Auditing | -| Windows Registry Persistence COM Key Linking | master | 1, 13 | Microsoft-Windows-Sysmon | -| Privileged AD Builtin Group Modified | master | 4727, 4728, 4729, 4730, 4754, 4756, 4757, 4758, 4764 | Microsoft-Windows-Security-Auditing | -| FoggyWeb Backdoor DLL Loading | master | 7 | Microsoft-Windows-Sysmon | -| Computer Account Deleted | master | 4743 | Microsoft-Windows-Security-Auditing | +| Registry Checked For Lanmanserver DisableCompression Parameter | master | 4663 | Microsoft-Windows-Security-Auditing | +| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 | | +| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | 13 | Microsoft-Windows-Sysmon | +| Malware Persistence Registry Key | master | 1, 13 | Microsoft-Windows-Sysmon | +| Microsoft Office Creating Suspicious File | master | 11 | Microsoft-Windows-Sysmon | +| Suspicious PsExec Execution | master | 5145 | Microsoft-Windows-Security-Auditing | +| Process Hollowing Detection | master | 25 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Exclusion Configuration | master | 13, 5007 | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender | | LSASS Access From Non System Account | master | 4656, 4663 | Microsoft-Windows-Security-Auditing | +| Privileged AD Builtin Group Modified | master | 4727, 4728, 4729, 4730, 4754, 4756, 4757, 4758, 4764 | Microsoft-Windows-Security-Auditing | +| Rubeus Register New Logon Process | master | 4611 | Microsoft-Windows-Security-Auditing | +| Network Share Discovery | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Webshell Creation | master | 11, 4656, 4663 | Microsoft-Windows-Sysmon | | Microsoft Defender Antivirus History Deleted | master | 1013 | Microsoft-Windows-Windows Defender | +| FoggyWeb Backdoor DLL Loading | master | 7 | Microsoft-Windows-Sysmon | +| Windows Registry Persistence COM Key Linking | master | 1, 13 | Microsoft-Windows-Sysmon | +| Advanced IP Scanner | master | 1 | Microsoft-Windows-Sysmon | +| List Shadow Copies | master | 4104 | Microsoft-Windows-PowerShell | +| Suspicious Microsoft Defender Antivirus Exclusion Command | master | 1 | Microsoft-Windows-Sysmon | +| FromBase64String Command Line | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 | | | Potential RDP Connection To Non-Domain Host | master | 8001 | Microsoft-Windows-NTLM | -| Execution From Suspicious Folder | master | 1 | Microsoft-Windows-Sysmon | -| Windows Defender Deactivation Using PowerShell Script | master | 4104 | Microsoft-Windows-PowerShell | -| Usage Of Sysinternals Tools | master | 1, 13 | Microsoft-Windows-Sysmon | -| Windows Firewall Changes | master | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Configuration Changed | master | 5007 | Microsoft-Windows-Windows Defender | +| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 | | | Cobalt Strike Named Pipes | master | 17 | Microsoft-Windows-Sysmon | -| Sysmon Windows File Block Executable | master | 27 | Microsoft-Windows-Sysmon | -| Narrator Feedback-Hub Persistence | master | 13 | Microsoft-Windows-Sysmon | -| Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys | master | 13 | Microsoft-Windows-Sysmon | -| PowerShell Malicious PowerShell Commandlets | master | 4104 | Microsoft-Windows-PowerShell | +| NjRat Registry Changes | master | 1, 12, 13 | Microsoft-Windows-Sysmon | +| SCM Database Privileged Operation | master | 4674 | Microsoft-Windows-Security-Auditing | | Suspicious Access To Sensitive File Extensions | master | 5145 | Microsoft-Windows-Security-Auditing | -| Microsoft Defender Antivirus Disable Using Registry | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Microsoft 365 (Office 365) Potential Ransomware Activity Detected | master | 40 | | -| Putty Sessions Listing | master | 1, 4656, 4663 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 | | +| Account Added To A Security Enabled Group | master | 4728 | Microsoft-Windows-Security-Auditing | +| DNS ServerLevelPluginDll Installation | master | 1, 13 | Microsoft-Windows-Sysmon | +| LSASS Memory Dump | master | 10 | Microsoft-Windows-Sysmon | +| Abusing Azure Browser SSO | master | 7 | Microsoft-Windows-Sysmon | +| Remote Monitoring and Management Software - AnyDesk | master | 1, 22 | Kernel-Process, Microsoft-Windows-DNS-Client | +| WMIC Loading Scripting Libraries | master | 7 | Microsoft-Windows-Sysmon | | File Or Folder Permissions Modifications | master | 1 | Microsoft-Windows-Sysmon | +| Failed Logon Source From Public IP Addresses | master | 4625 | Microsoft-Windows-Security-Auditing | | Suspicious DLL Loaded Via Office Applications | master | 7 | Microsoft-Windows-Sysmon | -| Microsoft Office Creating Suspicious File | master | 11 | Microsoft-Windows-Sysmon | -| Webshell Creation | master | 11, 4656, 4663 | Microsoft-Windows-Sysmon | -| Net.exe User Account Creation | master | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 Device Code Authentication | master | 15 | | -| Malware Persistence Registry Key | master | 1, 13 | Microsoft-Windows-Sysmon | -| AD User Enumeration | master | 4662 | Microsoft-Windows-Security-Auditing | -| Microsoft Defender Antivirus Exclusion Configuration | master | 13, 5007 | Microsoft-Windows-Sysmon, Microsoft-Windows-Windows Defender | -| LSASS Memory Dump | master | 10 | Microsoft-Windows-Sysmon | -| Credential Dumping-Tools Common Named Pipes | master | 17 | Microsoft-Windows-Sysmon | -| Svchost DLL Search Order Hijack | master | 7 | Microsoft-Windows-Sysmon | -| Microsoft 365 (Office 365) MCAS Repeated Delete | master | 98 | | +| Admin User RDP Remote Logon | master | 4624 | Microsoft-Windows-Security-Auditing | +| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | 4673 | Microsoft-Windows-Security-Auditing | +| Stop Backup Services | master | 1, 13 | Microsoft-Windows-Sysmon | +| TOR Usage Generic Rule | master | 3 | Microsoft-Windows-Sysmon | +| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | 7, 11 | Microsoft-Windows-Sysmon | +| Windows Firewall Changes | master | 1 | Microsoft-Windows-Sysmon | +| Autorun Keys Modification | master | 12 | Microsoft-Windows-Sysmon | | Suspicious New Printer Ports In Registry | master | 13 | Microsoft-Windows-Sysmon | +| SCM Database Handle Failure | master | 4656 | Microsoft-Windows-Security-Auditing | +| Microsoft Defender Antivirus Disable Using Registry | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | | User Account Created | master | 4720 | Microsoft-Windows-Security-Auditing | -| Suspicious Microsoft Defender Antivirus Exclusion Command | master | 1 | Microsoft-Windows-Sysmon | -| Account Added To A Security Enabled Group | master | 4728 | Microsoft-Windows-Security-Auditing | -| NjRat Registry Changes | master | 1, 12, 13 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Configuration Changed | master | 5007 | Microsoft-Windows-Windows Defender | | Disable Security Events Logging Adding Reg Key MiniNt | master | 13 | Microsoft-Windows-Sysmon | -| Rubeus Register New Logon Process | master | 4611 | Microsoft-Windows-Security-Auditing | -| Stop Backup Services | master | 1, 13 | Microsoft-Windows-Sysmon | -| Microsoft 365 (Office 365) MCAS Detection Velocity | master | 98 | | -| Failed Logon Source From Public IP Addresses | master | 4625 | Microsoft-Windows-Security-Auditing | -| Process Herpaderping | master | 25 | Microsoft-Windows-Sysmon | -| Protected Storage Service Access | master | 5145 | Microsoft-Windows-Security-Auditing | -| In-memory PowerShell | master | 7 | Microsoft-Windows-Sysmon | -| User Account Deleted | master | 4726 | Microsoft-Windows-Security-Auditing | -| WMIC Loading Scripting Libraries | master | 7 | Microsoft-Windows-Sysmon | -| Microsoft 365 (Office 365) MCAS Risky IP | master | 98 | | -| Admin Share Access | master | 5140, 5145 | Microsoft-Windows-Security-Auditing | -| Advanced IP Scanner | master | 1 | Microsoft-Windows-Sysmon | -| Remote Monitoring and Management Software - AnyDesk | master | 1, 22 | Kernel-Process, Microsoft-Windows-DNS-Client | -| Process Hollowing Detection | master | 25 | Microsoft-Windows-Sysmon | -| xWizard Execution | master | 1 | Kernel-Process | -| Microsoft 365 (Office 365) MCAS Inbox Hiding | master | 98 | | -| Network Share Discovery | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| TOR Usage Generic Rule | master | 3 | Microsoft-Windows-Sysmon | -| DNS Server Error Failed Loading The ServerLevelPluginDLL | master | 150, 770, 771 | Microsoft-Windows-DNS-Server-Service | -| FromBase64String Command Line | master | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Sysmon Windows File Block Executable | master | 27 | Microsoft-Windows-Sysmon | +| Computer Account Deleted | master | 4743 | Microsoft-Windows-Security-Auditing | +| Svchost DLL Search Order Hijack | master | 7 | Microsoft-Windows-Sysmon | | Remote Registry Management Using Reg Utility | master | 5145 | Microsoft-Windows-Security-Auditing | -| List Shadow Copies | master | 4104 | Microsoft-Windows-PowerShell | -| WMI DLL Loaded Via Office | master | 7 | Microsoft-Windows-Sysmon | -| Registry Checked For Lanmanserver DisableCompression Parameter | master | 4663 | Microsoft-Windows-Security-Auditing | | Netsh Port Opening | master | 1 | Microsoft-Windows-Sysmon | +| PowerShell Malicious PowerShell Commandlets | master | 4104 | Microsoft-Windows-PowerShell | | Microsoft 365 (Office 365) MCAS Repeated Failed Login | master | 98 | | +| WMI DLL Loaded Via Office | master | 7 | Microsoft-Windows-Sysmon | +| AD Privileged Users Or Groups Reconnaissance | master | 4661 | Microsoft-Windows-Security-Auditing | +| Protected Storage Service Access | master | 5145 | Microsoft-Windows-Security-Auditing | +| Execution From Suspicious Folder | master | 1 | Microsoft-Windows-Sysmon | +| User Account Deleted | master | 4726 | Microsoft-Windows-Security-Auditing | +| Admin Share Access | master | 5140, 5145 | Microsoft-Windows-Security-Auditing | +| In-memory PowerShell | master | 7 | Microsoft-Windows-Sysmon | +| Account Removed From A Security Enabled Group | master | 4729 | Microsoft-Windows-Security-Auditing | +| Credential Dumping-Tools Common Named Pipes | master | 17 | Microsoft-Windows-Sysmon | +| AD User Enumeration | master | 4662 | Microsoft-Windows-Security-Auditing | | CVE-2017-11882 Microsoft Office Equation Editor Vulnerability | master | 3 | Microsoft-Windows-Sysmon | -| SCM Database Privileged Operation | master | 4674 | Microsoft-Windows-Security-Auditing | -| User Couldn't Call A Privileged Service LsaRegisterLogonProcess | master | 4673 | Microsoft-Windows-Security-Auditing | -| SCM Database Handle Failure | master | 4656 | Microsoft-Windows-Security-Auditing | -| Abusing Azure Browser SSO | master | 7 | Microsoft-Windows-Sysmon | -| CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv | master | 7, 11 | Microsoft-Windows-Sysmon | +| Process Herpaderping | master | 25 | Microsoft-Windows-Sysmon | +| Microsoft 365 Device Code Authentication | master | 15 | | +| xWizard Execution | master | 1 | Kernel-Process | +| Windows Defender Deactivation Using PowerShell Script | master | 4104 | Microsoft-Windows-PowerShell | +| Narrator Feedback-Hub Persistence | master | 13 | Microsoft-Windows-Sysmon | +| Putty Sessions Listing | master | 1, 4656, 4663 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon | +| System Network Connections Discovery | advanced | 1 | Microsoft-Windows-Sysmon | +| WMI Persistence Script Event Consumer File Write | advanced | 11 | Microsoft-Windows-Sysmon | +| Suspicious Double Extension | advanced | 5 | Microsoft-Windows-Sysmon | +| Windows Registry Persistence COM Search Order Hijacking | advanced | 13 | Microsoft-Windows-Sysmon | +| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | advanced | 64 | | +| Suspicious Regsvr32 Execution | advanced | 1 | Microsoft-Windows-Sysmon | +| Logonui Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | | Exploit For CVE-2017-0261 Or CVE-2017-0262 | advanced | 1 | Microsoft-Windows-Sysmon | -| Cmd.exe Used To Run Reconnaissance Commands | advanced | 1 | Microsoft-Windows-Sysmon | -| Exfiltration And Tunneling Tools Execution | advanced | 1 | Microsoft-Windows-Sysmon | -| XCopy Suspicious Usage | advanced | 1 | Microsoft-Windows-Sysmon | -| Lateral Movement - Remote Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | -| Netsh Program Allowed With Suspicious Location | advanced | 1 | Microsoft-Windows-Sysmon | -| Permission Discovery Via Wmic | advanced | 1 | Microsoft-Windows-Sysmon | -| Domain Group And Permission Enumeration | advanced | 1 | Microsoft-Windows-Sysmon | -| Suspicious Windows DNS Queries | advanced | 22 | Microsoft-Windows-Sysmon | -| Searchindexer Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| PowerView commandlets 1 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Python Opening Ports | advanced | 5154 | Microsoft-Windows-Security-Auditing | +| AccCheckConsole Executing Dll | advanced | 5 | Kernel-Process | +| Adidnsdump Enumeration | advanced | 11, 4688 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing | | Explorer Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Netsh Allow Command | advanced | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically | advanced | 64 | | -| Telegram Bot API Request | advanced | 22 | Microsoft-Windows-Sysmon | +| SAM Registry Hive Handle Request | advanced | 4656 | Microsoft-Windows-Security-Auditing | +| Python Opening Ports | advanced | 5154 | Microsoft-Windows-Security-Auditing | +| Suspicious Windows DNS Queries | advanced | 22 | Microsoft-Windows-Sysmon | +| Rclone Process | advanced | 1 | Microsoft-Windows-Sysmon | +| Suspicious desktop.ini Action | advanced | 15 | Microsoft-Windows-Sysmon | +| Microsoft Office Product Spawning Windows Shell | advanced | 1 | Microsoft-Windows-Sysmon | +| RDP Sensitive Settings Changed | advanced | 13 | Microsoft-Windows-Sysmon | +| Cmd.exe Used To Run Reconnaissance Commands | advanced | 1 | Microsoft-Windows-Sysmon | | Domain Trust Created Or Removed | advanced | 4706, 4707 | Microsoft-Windows-Security-Auditing | +| Csrss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Alternate PowerShell Hosts Pipe | advanced | 17 | Microsoft-Windows-Sysmon | +| ACLight Discovering Privileged Accounts | advanced | 4103 | Microsoft-Windows-PowerShell | +| Dynwrapx Module Loading | advanced | 7 | Microsoft-Windows-Sysmon | +| PsExec Process | advanced | 13, 7045 | Microsoft-Windows-Sysmon, Service Control Manager | +| Taskhost or Taskhostw Suspicious Child Found | advanced | 1 | Microsoft-Windows-Sysmon | +| Smss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Legitimate Process Execution From Unusual Folder | advanced | 1, 5, 4688 | Microsoft-Windows-Sysmon | +| CreateRemoteThread Common Process Injection | advanced | 8 | Microsoft-Windows-Sysmon | +| Winrshost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| XCopy Suspicious Usage | advanced | 1 | Microsoft-Windows-Sysmon | | Malicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell | -| PowerShell Malicious Nishang PowerShell Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell | -| Logon Scripts (UserInitMprLogonScript) | advanced | 1, 13 | Microsoft-Windows-Sysmon | +| Hiding Files With Attrib.exe | advanced | 1 | Microsoft-Windows-Sysmon | | Change Default File Association | advanced | 1 | Microsoft-Windows-Sysmon | -| Microsoft Windows Active Directory Module Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell | -| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | 11 | Microsoft-Windows-Sysmon | -| NTDS.dit File In Suspicious Directory | advanced | 11 | Microsoft-Windows-Sysmon | -| Suspicious Regasm Regsvcs Usage | advanced | 1 | Kernel-Process | -| AccCheckConsole Executing Dll | advanced | 5 | Kernel-Process | -| WiFi Credentials Harvesting Using Netsh | advanced | 1 | Microsoft-Windows-Sysmon | -| Suspicious desktop.ini Action | advanced | 15 | Microsoft-Windows-Sysmon | -| System Network Connections Discovery | advanced | 1 | Microsoft-Windows-Sysmon | -| Logonui Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Suspicious Control Process | advanced | 1 | Microsoft-Windows-Sysmon | -| Powershell AMSI Bypass | advanced | 4104 | Microsoft-Windows-PowerShell | -| PowerShell - NTFS Alternate Data Stream | advanced | 4104 | Microsoft-Windows-PowerShell | -| Suspicious Outbound Kerberos Connection | advanced | 5156 | Microsoft-Windows-Security-Auditing | -| PowerShell Data Compressed | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| AzureEdge in Command Line | advanced | 5 | Kernel-Process | -| Smss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Suspicious Double Extension | advanced | 5 | Microsoft-Windows-Sysmon | -| Credentials Extraction | advanced | 1 | Kernel-Process | -| PowerShell Download From URL | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Taskhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Netsh Allow Command | advanced | 1 | Microsoft-Windows-Sysmon | +| Remote Service Activity Via SVCCTL Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | | Disabled IE Security Features | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | 7 | Microsoft-Windows-Sysmon | -| Taskhost or Taskhostw Suspicious Child Found | advanced | 1 | Microsoft-Windows-Sysmon | -| Csrss Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| RDP Sensitive Settings Changed | advanced | 13 | Microsoft-Windows-Sysmon | -| Active Directory Replication from Non Machine Account | advanced | 4662 | Microsoft-Windows-Security-Auditing | -| AD Object WriteDAC Access | advanced | 4662 | Microsoft-Windows-Security-Auditing | -| Suspicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell | -| RDP Login From Localhost | advanced | 4624 | Microsoft-Windows-Security-Auditing | -| CreateRemoteThread Common Process Injection | advanced | 8 | Microsoft-Windows-Sysmon | -| SAM Registry Hive Handle Request | advanced | 4656 | Microsoft-Windows-Security-Auditing | -| Legitimate Process Execution From Unusual Folder | advanced | 1, 5, 4688 | Microsoft-Windows-Sysmon | -| Suspicious Cmd.exe Command Line | advanced | 1 | Microsoft-Windows-Sysmon | -| Webshell Execution W3WP Process | advanced | 1 | Microsoft-Windows-Sysmon | -| Certify Or Certipy | advanced | 3, 5 | Kernel-Process | -| RDP Session Discovery | advanced | 1 | Microsoft-Windows-Sysmon | -| WMI Persistence Script Event Consumer File Write | advanced | 11 | Microsoft-Windows-Sysmon | -| Powershell Web Request | advanced | 1 | Microsoft-Windows-Sysmon | -| Wininit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| AutoIt3 Execution From Suspicious Folder | advanced | 5 | Kernel-Process | -| Suspicious PROCEXP152.sys File Created In Tmp | advanced | 11 | Microsoft-Windows-Sysmon | -| Microsoft Office Product Spawning Windows Shell | advanced | 1 | Microsoft-Windows-Sysmon | -| Alternate PowerShell Hosts Pipe | advanced | 17 | Microsoft-Windows-Sysmon | | External Disk Drive Or USB Storage Device | advanced | 6416 | Microsoft-Windows-Security-Auditing | -| Searchprotocolhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Adexplorer Usage | advanced | 1 | Microsoft-Windows-Sysmon | -| Hiding Files With Attrib.exe | advanced | 1 | Microsoft-Windows-Sysmon | -| PowerView commandlets 2 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Winlogon wrong parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Wmiprvse Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Wsmprovhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Wininit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Exfiltration And Tunneling Tools Execution | advanced | 1 | Microsoft-Windows-Sysmon | +| Userinit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Searchindexer Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| AzureEdge in Command Line | advanced | 5 | Kernel-Process | +| Powershell Web Request | advanced | 1 | Microsoft-Windows-Sysmon | | Svchost Wrong Parent | advanced | 4688 | Microsoft-Windows-Security-Auditing | -| Remote Service Activity Via SVCCTL Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | -| Rare Logonui Child Found | advanced | 1 | Microsoft-Windows-Sysmon | -| Winword wrong parent | advanced | 4688 | Microsoft-Windows-Security-Auditing | -| Dllhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| WMI Event Subscription | advanced | 19, 20, 21 | Microsoft-Windows-Sysmon | -| Taskhostw Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Metasploit PSExec Service Creation | advanced | 7045 | Service Control Manager | -| Suspicious Regsvr32 Execution | advanced | 1 | Microsoft-Windows-Sysmon | -| Remote Privileged Group Enumeration | advanced | 4799 | Microsoft-Windows-Security-Auditing | | Suspicious PrinterPorts Creation (CVE-2020-1048) | advanced | 10 | Microsoft-Windows-Sysmon | -| Wsmprovhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Spoolsv Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Rclone Process | advanced | 1 | Microsoft-Windows-Sysmon | -| Account Tampering - Suspicious Failed Logon Reasons | advanced | 4625, 4776 | Microsoft-Windows-Security-Auditing | -| PowerShell Credential Prompt | advanced | 4104 | Microsoft-Windows-PowerShell | -| PsExec Process | advanced | 13, 7045 | Microsoft-Windows-Sysmon, Service Control Manager | -| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | 4104 | Microsoft-Windows-PowerShell | -| ACLight Discovering Privileged Accounts | advanced | 4103 | Microsoft-Windows-PowerShell | -| Winrshost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Tampering Detected | advanced | 1127, 2013, 5001, 5010, 5012, 5101 | Microsoft-Windows-Windows Defender | +| Remote Privileged Group Enumeration | advanced | 4799 | Microsoft-Windows-Security-Auditing | +| New Service Creation | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| PowerShell Data Compressed | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | | Default Encoding To UTF-8 PowerShell | advanced | 1 | Microsoft-Windows-Sysmon | | Svchost Modification | advanced | 13 | Microsoft-Windows-Sysmon | -| Lsass Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| Suspicious XOR Encoded PowerShell Command Line | advanced | 4104 | Microsoft-Windows-PowerShell | -| Adidnsdump Enumeration | advanced | 11, 4688 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Security-Auditing | -| Active Directory Replication User Backdoor | advanced | 5136 | Microsoft-Windows-Security-Auditing | -| Windows Registry Persistence COM Search Order Hijacking | advanced | 13 | Microsoft-Windows-Sysmon | -| Control Panel Items | advanced | 1 | Microsoft-Windows-Sysmon | +| PowerShell EncodedCommand | advanced | 1 | Microsoft-Windows-Sysmon | +| PowerView commandlets 2 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Webshell Execution W3WP Process | advanced | 1 | Microsoft-Windows-Sysmon | +| Active Directory Replication from Non Machine Account | advanced | 4662 | Microsoft-Windows-Security-Auditing | +| Domain Group And Permission Enumeration | advanced | 1 | Microsoft-Windows-Sysmon | +| Suspicious PROCEXP152.sys File Created In Tmp | advanced | 11 | Microsoft-Windows-Sysmon | +| Suspicious Control Process | advanced | 1 | Microsoft-Windows-Sysmon | +| Winlogon wrong parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Searchprotocolhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| PowerShell - NTFS Alternate Data Stream | advanced | 4104 | Microsoft-Windows-PowerShell | +| PowerShell Invoke-Obfuscation Obfuscated IEX Invocation | advanced | 4104 | Microsoft-Windows-PowerShell | +| RDP Session Discovery | advanced | 1 | Microsoft-Windows-Sysmon | | Unsigned Image Loaded Into LSASS Process | advanced | 7 | Microsoft-Windows-Sysmon | -| Mimikatz LSASS Memory Access | advanced | 10 | Microsoft-Windows-Sysmon | -| Dynwrapx Module Loading | advanced | 7 | Microsoft-Windows-Sysmon | +| Control Panel Items | advanced | 1 | Microsoft-Windows-Sysmon | +| Certify Or Certipy | advanced | 3, 5 | Kernel-Process | +| Lsass Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Metasploit PSExec Service Creation | advanced | 7045 | Service Control Manager | +| RDP Login From Localhost | advanced | 4624 | Microsoft-Windows-Security-Auditing | +| PowerShell Download From URL | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Lateral Movement - Remote Named Pipe | advanced | 5145 | Microsoft-Windows-Security-Auditing | +| Load Of dbghelp/dbgcore DLL From Suspicious Process | advanced | 7 | Microsoft-Windows-Sysmon | +| Active Directory Replication User Backdoor | advanced | 5136 | Microsoft-Windows-Security-Auditing | +| Credentials Extraction | advanced | 1 | Kernel-Process | +| Suspicious PowerShell Keywords | advanced | 4104 | Microsoft-Windows-PowerShell | +| Powershell AMSI Bypass | advanced | 4104 | Microsoft-Windows-PowerShell | +| Taskhostw Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| WMI Event Subscription | advanced | 19, 20, 21 | Microsoft-Windows-Sysmon | +| Rare Logonui Child Found | advanced | 1 | Microsoft-Windows-Sysmon | +| Wmiprvse Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Account Tampering - Suspicious Failed Logon Reasons | advanced | 4625, 4776 | Microsoft-Windows-Security-Auditing | +| Suspicious Outbound Kerberos Connection | advanced | 5156 | Microsoft-Windows-Security-Auditing | | Rubeus Tool Command-line | advanced | 1 | Microsoft-Windows-Sysmon | -| Userinit Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | -| New Service Creation | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| PowerShell EncodedCommand | advanced | 1 | Microsoft-Windows-Sysmon | -| SolarWinds Wrong Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | +| Winword wrong parent | advanced | 4688 | Microsoft-Windows-Security-Auditing | +| AD Object WriteDAC Access | advanced | 4662 | Microsoft-Windows-Security-Auditing | +| PowerShell Malicious Nishang PowerShell Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell | +| Permission Discovery Via Wmic | advanced | 1 | Microsoft-Windows-Sysmon | +| Mimikatz LSASS Memory Access | advanced | 10 | Microsoft-Windows-Sysmon | +| PowerView commandlets 1 | advanced | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Netsh Program Allowed With Suspicious Location | advanced | 1 | Microsoft-Windows-Sysmon | +| WiFi Credentials Harvesting Using Netsh | advanced | 1 | Microsoft-Windows-Sysmon | +| Suspicious Regasm Regsvcs Usage | advanced | 1 | Kernel-Process | +| NTDS.dit File In Suspicious Directory | advanced | 11 | Microsoft-Windows-Sysmon | +| Spoolsv Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| PowerShell Credential Prompt | advanced | 4104 | Microsoft-Windows-PowerShell | +| Dllhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Taskhost Wrong Parent | advanced | 1 | Microsoft-Windows-Sysmon | +| Telegram Bot API Request | advanced | 22 | Microsoft-Windows-Sysmon | +| Microsoft Windows Active Directory Module Commandlets | advanced | 4104 | Microsoft-Windows-PowerShell | +| Adexplorer Usage | advanced | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Tampering Detected | advanced | 1127, 2013, 5001, 5010, 5012, 5101 | Microsoft-Windows-Windows Defender | +| AutoIt3 Execution From Suspicious Folder | advanced | 5 | Kernel-Process | +| Logon Scripts (UserInitMprLogonScript) | advanced | 1, 13 | Microsoft-Windows-Sysmon | +| Suspicious Cmd.exe Command Line | advanced | 1 | Microsoft-Windows-Sysmon | +| Suspicious XOR Encoded PowerShell Command Line | advanced | 4104 | Microsoft-Windows-PowerShell | +| Suspicious ADSI-Cache Usage By Unknown Tool | advanced | 11 | Microsoft-Windows-Sysmon | +| MS Office Product Spawning Exe in User Dir | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | 6 | | +| Copy Of Legitimate System32 Executable | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Netsh RDP Port Opening | intermediate | 1 | Microsoft-Windows-Sysmon | +| Disable Windows Defender Credential Guard | intermediate | 13 | Microsoft-Windows-Sysmon | +| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | 1 | | +| WMImplant Hack Tool | intermediate | 4104 | Microsoft-Windows-PowerShell | +| User Added to Local Administrators | intermediate | 4732 | Microsoft-Windows-Security-Auditing | +| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | 1 | Microsoft-Windows-Sysmon | +| XSL Script Processing And SquiblyTwo Attack | intermediate | 1 | Microsoft-Windows-Sysmon | +| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1033, 1034 | Microsoft-Windows-DHCP-Server | | Phosphorus Domain Controller Discovery | intermediate | 4104 | Microsoft-Windows-PowerShell | -| Trickbot Malware Activity | intermediate | 1 | Microsoft-Windows-Sysmon | -| Rare Lsass Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | -| SolarWinds Suspicious File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | -| QakBot Process Creation | intermediate | 1 | Microsoft-Windows-Sysmon | -| Generic-reverse-shell-oneliner | intermediate | 3 | Microsoft-Windows-Kernel-Network | -| Suspicious DLL Loading By Ordinal | intermediate | 1 | Microsoft-Windows-Sysmon | -| Sliver DNS Beaconing | intermediate | 22 | Microsoft-Windows-Sysmon | -| Lsass Access Through WinRM | intermediate | 10 | Microsoft-Windows-Sysmon | -| Possible RottenPotato Attack | intermediate | 4624 | Microsoft-Windows-Security-Auditing | -| PowerShell Execution Via Rundll32 | intermediate | 1 | Microsoft-Windows-Sysmon | -| New DLL Added To AppCertDlls Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon | -| Bloodhound and Sharphound Tools Usage | intermediate | 1 | Microsoft-Windows-Sysmon | -| Cred Dump Tools Dropped Files | intermediate | 11 | Microsoft-Windows-Sysmon | +| Suspicious LDAP-Attributes Used | intermediate | 5136 | Microsoft-Windows-Security-Auditing | +| WMIC Command To Determine The Antivirus | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Registry Key Used By Some Old Agent Tesla Samples | intermediate | 13 | Microsoft-Windows-Sysmon | +| Sysprep On AppData Folder | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspect Svchost Memory Access | intermediate | 10 | Microsoft-Windows-Sysmon | +| Credential Dumping Tools Service Execution | intermediate | 7045 | Service Control Manager | +| IIS Module Installation Using AppCmd | intermediate | 1 | Microsoft-Windows-Sysmon | +| Python HTTP Server | intermediate | 1 | Microsoft-Windows-Sysmon | | Usage Of Procdump With Common Arguments | intermediate | 13 | Microsoft-Windows-Sysmon | -| Remote Task Creation Via ATSVC Named Pipe | intermediate | 5145 | Microsoft-Windows-Security-Auditing | -| Disable Windows Defender Credential Guard | intermediate | 13 | Microsoft-Windows-Sysmon | -| Capture a network trace with netsh.exe | intermediate | 1 | Microsoft-Windows-Sysmon | -| Secure Deletion With SDelete | intermediate | 4656, 4658, 4663 | Microsoft-Windows-Security-Auditing | -| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | intermediate | 64 | | +| Cobalt Strike Default Beacons Names | intermediate | 1, 15 | Microsoft-Windows-Sysmon | +| DHCP Callout DLL Installation | intermediate | 13 | Microsoft-Windows-Sysmon | +| Explorer Process Executing HTA File | intermediate | 1 | Microsoft-Windows-Sysmon | +| Ngrok Process Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Windows Script Execution | intermediate | 5 | Kernel-Process | +| NetSh Used To Disable Windows Firewall | intermediate | 1 | Microsoft-Windows-Sysmon | +| LSASS Memory Dump File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | +| Data Compressed With Rar With Password | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Suspicious Mshta Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| RDP Port Change Using Powershell | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| PowerCat Function Loading | intermediate | 4104 | Microsoft-Windows-PowerShell | | DLL Load via LSASS Registry Key | intermediate | 12, 13 | Microsoft-Windows-Sysmon | -| Audio Capture via PowerShell | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| UAC Bypass Using Fodhelper | intermediate | 13 | Microsoft-Windows-Sysmon | -| Microsoft Office Spawning Script | intermediate | 1 | Microsoft-Windows-Sysmon | -| Exchange Mailbox Export | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Active Directory User Backdoors | intermediate | 4662, 5136 | Microsoft-Windows-Security-Auditing | -| DHCP Server Loaded the CallOut DLL | intermediate | 1033 | Microsoft-Windows-DHCP-Server | +| HackTools Suspicious Process Names In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | +| Network Sniffing Windows | intermediate | 1, 5 | Microsoft-Windows-Sysmon | +| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | 4794 | Microsoft-Windows-Security-Auditing | +| Schtasks Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Desktopimgdownldr Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| OneNote Embedded File | intermediate | 11, 15 | Microsoft-Windows-Sysmon | +| Qakbot Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | +| Rare Lsass Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | +| Venom Multi-hop Proxy agent detection | intermediate | 1 | Kernel-Process | +| DPAPI Domain Backup Key Extraction | intermediate | 4662 | Microsoft-Windows-Security-Auditing | +| Suspicious DNS Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | +| MMC Spawning Windows Shell | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Driver Loaded | intermediate | 13 | Microsoft-Windows-Sysmon | +| Spyware Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Outlook Child Process | intermediate | 4688 | Microsoft-Windows-Security-Auditing | +| Suspicious Rundll32.exe Execution | intermediate | 1, 5 | Kernel-Process, Microsoft-Windows-Sysmon | +| UAC Bypass via Event Viewer | intermediate | 13 | Microsoft-Windows-Sysmon | +| CMSTP Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| New DLL Added To AppCertDlls Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon | +| NlTest Usage | intermediate | 1 | Microsoft-Windows-Sysmon | | Clear EventLogs Through CommandLine | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Scheduled Task Creation | intermediate | 4688 | Microsoft-Windows-Security-Auditing | -| Inhibit System Recovery Deleting Backups | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Non-Legitimate Executable Using AcceptEula Parameter | intermediate | 3, 5 | Kernel-Process, Microsoft-Windows-Kernel-Process | -| Pandemic Windows Implant | intermediate | 1, 13 | Microsoft-Windows-Sysmon | +| MalwareBytes Uninstallation | intermediate | 1 | Microsoft-Windows-Sysmon | +| STRRAT Scheduled Task | intermediate | 1 | Microsoft-Windows-Sysmon | +| Exchange Mailbox Export | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Exchange Server Spawning Suspicious Processes | intermediate | 1 | Microsoft-Windows-Sysmon | +| Secure Deletion With SDelete | intermediate | 4656, 4658, 4663 | Microsoft-Windows-Security-Auditing | +| Eventlog Cleared | intermediate | 517, 1102 | Microsoft-Windows-Eventlog | +| Commonly Used Commands To Stop Services And Remove Backups | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious DLL Loading By Ordinal | intermediate | 1 | Microsoft-Windows-Sysmon | +| Trickbot Malware Activity | intermediate | 1 | Microsoft-Windows-Sysmon | +| Cmdkey Cached Credentials Recon | intermediate | 1 | Microsoft-Windows-Sysmon | | Detection of default Mimikatz banner | intermediate | 4103 | Microsoft-Windows-PowerShell | -| KeePass Config XML In Command-Line | intermediate | 1 | Microsoft-Windows-Sysmon | -| Malicious Named Pipe | intermediate | 17 | Microsoft-Windows-Sysmon | -| Successful Overpass The Hash Attempt | intermediate | 4624 | Microsoft-Windows-Security-Auditing | -| Transfering Files With Credential Data Via Network Shares | intermediate | 5145 | Microsoft-Windows-Security-Auditing | -| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File | -| Suspicious Driver Loaded | intermediate | 13 | Microsoft-Windows-Sysmon | -| Suspicious PowerShell Invocations - Specific | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious certutil command | intermediate | 1 | Microsoft-Windows-Sysmon | -| Registry Key Used By Some Old Agent Tesla Samples | intermediate | 13 | Microsoft-Windows-Sysmon | -| Password Dumper Activity On LSASS | intermediate | 4656 | Microsoft-Windows-Security-Auditing | -| Active Directory Delegate To KRBTGT Service | intermediate | 4738 | Microsoft-Windows-Security-Auditing | -| Suspicious SAM Dump | intermediate | 16 | Microsoft-Windows-Kernel-General | -| Chafer (APT 39) Activity | intermediate | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager | -| Netsh RDP Port Opening | intermediate | 1 | Microsoft-Windows-Sysmon | -| NetSh Used To Disable Windows Firewall | intermediate | 1 | Microsoft-Windows-Sysmon | -| Impacket Secretsdump.py Tool | intermediate | 5145 | Microsoft-Windows-Security-Auditing | -| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File | -| Suspicious PowerShell Invocations - Generic | intermediate | 1 | Microsoft-Windows-Sysmon | -| MSBuild Abuse | intermediate | 1, 3 | Microsoft-Windows-Sysmon | +| Lsass Access Through WinRM | intermediate | 10 | Microsoft-Windows-Sysmon | +| Suspicious CodePage Switch with CHCP | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | | CMSTP UAC Bypass via COM Object Access | intermediate | 1 | Microsoft-Windows-Sysmon | -| Hijack Legit RDP Session To Move Laterally | intermediate | 11 | Microsoft-Windows-Sysmon | -| Formbook File Creation DB1 | intermediate | 11 | Microsoft-Windows-Sysmon | -| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | 6 | | -| DC Shadow via Service Principal Name (SPN) creation | intermediate | 4742, 5136 | Microsoft-Windows-Security-Auditing | -| Microsoft 365 Email Forwarding To Email Address With Rare TLD | intermediate | 1 | | -| Ryuk Ransomware Persistence Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon | -| Explorer Process Executing HTA File | intermediate | 1 | Microsoft-Windows-Sysmon | -| MMC Spawning Windows Shell | intermediate | 1 | Microsoft-Windows-Sysmon | -| IIS Module Installation Using AppCmd | intermediate | 1 | Microsoft-Windows-Sysmon | -| TUN/TAP Driver Installation | intermediate | 4697, 7045 | Service Control Manager | -| Python HTTP Server | intermediate | 1 | Microsoft-Windows-Sysmon | | Formbook Hijacked Process Command | intermediate | 1 | Microsoft-Windows-Sysmon | | New Or Renamed User Account With '$' In Attribute 'SamAccountName' | intermediate | 4720 | Microsoft-Windows-Security-Auditing | -| XSL Script Processing And SquiblyTwo Attack | intermediate | 1 | Microsoft-Windows-Sysmon | -| Werfault DLL Injection | intermediate | 7 | Microsoft-Windows-Sysmon | -| OneNote Embedded File | intermediate | 11, 15 | Microsoft-Windows-Sysmon | -| Suspicious Taskkill Command | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Network Args In Command Line | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon | -| Suspicious Windows Script Execution | intermediate | 5 | Kernel-Process | -| MS Office Product Spawning Exe in User Dir | intermediate | 1 | Microsoft-Windows-Sysmon | +| Chafer (APT 39) Activity | intermediate | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager | +| Microsoft 365 (Office 365) Malware Uploaded On OneDrive | intermediate | 6 | | | NetNTLM Downgrade Attack | intermediate | 13, 4657 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Set-MpPreference Base64 Encoded | intermediate | 1 | Microsoft-Windows-Sysmon | -| RDP Port Change Using Powershell | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Suspicious LDAP-Attributes Used | intermediate | 5136 | Microsoft-Windows-Security-Auditing | -| Suspicious Scripting In A WMI Consumer | intermediate | 20 | Microsoft-Windows-Sysmon | -| Suspicious Desktopimgdownldr Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | 1 | Microsoft-Windows-Sysmon | +| Formbook File Creation DB1 | intermediate | 11 | Microsoft-Windows-Sysmon | +| Creation or Modification of a GPO Scheduled Task | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| Gpscript Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Commands From MS SQL Server Shell | intermediate | 1 | Microsoft-Windows-Sysmon | +| Inhibit System Recovery Deleting Backups | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Generic-reverse-shell-oneliner | intermediate | 3 | Microsoft-Windows-Kernel-Network | +| OceanLotus Registry Activity | intermediate | 13 | Microsoft-Windows-Sysmon | +| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup | +| Suspicious Finger Usage | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | 1 | | +| StoneDrill Service Install | intermediate | 7045 | Service Control Manager | +| Exchange Server Creating Unusual Files | intermediate | 11 | Microsoft-Windows-Sysmon | +| Reconnaissance Commands Activities | intermediate | 1 | Kernel-Process | +| Audio Capture via PowerShell | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| WCE wceaux.dll Creation | intermediate | 30 | Microsoft-Windows-Kernel-File | +| Exfiltration Domain In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | | Microsoft Malware Protection Engine Crash | intermediate | 1000 | Application Error | +| Malicious Named Pipe | intermediate | 17 | Microsoft-Windows-Sysmon | +| Sliver DNS Beaconing | intermediate | 22 | Microsoft-Windows-Sysmon | +| Werfault DLL Injection | intermediate | 7 | Microsoft-Windows-Sysmon | +| Netsh Allowed Python Program | intermediate | 1 | Microsoft-Windows-Sysmon | | DNS Exfiltration and Tunneling Tools Execution | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| DHCP Server Error Failed Loading the CallOut DLL | intermediate | 1031, 1032, 1034 | Microsoft-Windows-DHCP-Server | -| MavInject Process Injection | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Mshta Execution From Wmi | intermediate | 1 | Microsoft-Windows-Sysmon | +| COM Hijack Via Sdclt | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Scripting In A WMI Consumer | intermediate | 20 | Microsoft-Windows-Sysmon | +| Cred Dump Tools Dropped Files | intermediate | 11 | Microsoft-Windows-Sysmon | +| BazarLoader Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | +| SquirrelWaffle Malspam Execution Loading DLL | intermediate | 1 | Microsoft-Windows-Sysmon | +| Active Directory User Backdoors | intermediate | 4662, 5136 | Microsoft-Windows-Security-Auditing | +| WMIC Uninstall Product | intermediate | 1 | Microsoft-Windows-Sysmon | +| Searchprotocolhost Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | | Powershell Winlogon Helper DLL | intermediate | 13, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| PowerCat Function Loading | intermediate | 4104 | Microsoft-Windows-PowerShell | -| OceanLotus Registry Activity | intermediate | 13 | Microsoft-Windows-Sysmon | -| Network Connection Via Certutil | intermediate | 3 | Microsoft-Windows-Sysmon | -| LSASS Memory Dump File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | -| ETW Tampering | intermediate | 1 | Microsoft-Windows-Sysmon | -| Mshta Suspicious Child Process | intermediate | 1, 5 | Kernel-Process | -| Possible Replay Attack | intermediate | 4649 | Microsoft-Windows-Security-Auditing | -| WMIC Command To Determine The Antivirus | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Copy Of Legitimate System32 Executable | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| User Added to Local Administrators | intermediate | 4732 | Microsoft-Windows-Security-Auditing | -| Netsh Allowed Python Program | intermediate | 1 | Microsoft-Windows-Sysmon | | Grabbing Sensitive Hives Via Reg Utility | intermediate | 1, 5 | Kernel-Process, Microsoft-Windows-Sysmon | -| Exchange Server Creating Unusual Files | intermediate | 11 | Microsoft-Windows-Sysmon | -| Backup Catalog Deleted | intermediate | 524 | Microsoft-Windows-Backup | -| Wmic Service Call | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspect Svchost Memory Access | intermediate | 10 | Microsoft-Windows-Sysmon | | Denied Access To Remote Desktop | intermediate | 4825 | Microsoft-Windows-Security-Auditing | -| Microsoft Defender Antivirus Threat Detected | intermediate | 1006, 1007, 1008, 1015, 1116, 1117, 1118, 1119, 1125, 1126 | Microsoft-Windows-Windows Defender | -| Microsoft Defender Antivirus Disable Scheduled Tasks | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| STRRAT Scheduled Task | intermediate | 1 | Microsoft-Windows-Sysmon | -| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | 1, 13 | Microsoft-Windows-Sysmon | -| Reconnaissance Commands Activities | intermediate | 1 | Kernel-Process | -| Eventlog Cleared | intermediate | 517, 1102 | Microsoft-Windows-Eventlog | | Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data | intermediate | 4104 | Microsoft-Windows-PowerShell | -| Schtasks Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| NTDS.dit File Interaction Through Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | -| Data Compressed With Rar With Password | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Commonly Used Commands To Stop Services And Remove Backups | intermediate | 1 | Microsoft-Windows-Sysmon | -| Cmdkey Cached Credentials Recon | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Hostname | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| Powershell UploadString Function | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Windows Installer Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Pandemic Windows Implant | intermediate | 1, 13 | Microsoft-Windows-Sysmon | +| MMC20 Lateral Movement | intermediate | 1 | Microsoft-Windows-Sysmon | +| SolarWinds Suspicious File Creation | intermediate | 11 | Microsoft-Windows-Sysmon | | High Privileges Network Share Removal | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Disable Services | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Suspicious DNS Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | -| Cobalt Strike Default Beacons Names | intermediate | 1, 15 | Microsoft-Windows-Sysmon | -| Suspicious Finger Usage | intermediate | 1 | Microsoft-Windows-Sysmon | -| NlTest Usage | intermediate | 1 | Microsoft-Windows-Sysmon | +| Password Dumper Activity On LSASS | intermediate | 4656 | Microsoft-Windows-Security-Auditing | +| DCSync Attack | intermediate | 4662 | Microsoft-Windows-Security-Auditing | +| GPO Executable Delivery | intermediate | 5136 | Microsoft-Windows-Security-Auditing | +| Possible RottenPotato Attack | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| Suspicious Scheduled Task Creation | intermediate | 4688 | Microsoft-Windows-Security-Auditing | +| CertOC Loading Dll | intermediate | 1 | Kernel-Process | +| MSBuild Abuse | intermediate | 1, 3 | Microsoft-Windows-Sysmon | +| Suspicious SAM Dump | intermediate | 16 | Microsoft-Windows-Kernel-General | +| Active Directory Delegate To KRBTGT Service | intermediate | 4738 | Microsoft-Windows-Security-Auditing | +| Suspicious Network Args In Command Line | intermediate | 1 | Kernel-Process, Microsoft-Windows-Sysmon | +| TUN/TAP Driver Installation | intermediate | 4697, 7045 | Service Control Manager | +| Transfering Files With Credential Data Via Network Shares | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| Bloodhound and Sharphound Tools Usage | intermediate | 1 | Microsoft-Windows-Sysmon | | Csrss Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Disable SecurityHealth | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Gpscript Suspicious Parent | intermediate | 1 | Microsoft-Windows-Sysmon | -| Exploiting SetupComplete.cmd CVE-2019-1378 | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Rundll32.exe Execution | intermediate | 1, 5 | Kernel-Process, Microsoft-Windows-Sysmon | -| HackTools Suspicious Process Names In Command Line | intermediate | 1, 5, 11 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon | +| KeePass Config XML In Command-Line | intermediate | 1 | Microsoft-Windows-Sysmon | +| DC Shadow via Service Principal Name (SPN) creation | intermediate | 4742, 5136 | Microsoft-Windows-Security-Auditing | +| Suspicious PowerShell Invocations - Specific | intermediate | 1 | Microsoft-Windows-Sysmon | +| Wmic Service Call | intermediate | 1 | Microsoft-Windows-Sysmon | +| MavInject Process Injection | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious certutil command | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 | | +| Mshta Suspicious Child Process | intermediate | 1, 5 | Kernel-Process | +| Non-Legitimate Executable Using AcceptEula Parameter | intermediate | 3, 5 | Kernel-Process, Microsoft-Windows-Kernel-Process | +| Remote Task Creation Via ATSVC Named Pipe | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| Possible Replay Attack | intermediate | 4649 | Microsoft-Windows-Security-Auditing | +| ETW Tampering | intermediate | 1 | Microsoft-Windows-Sysmon | +| Disable .NET ETW Through COMPlus_ETWEnabled | intermediate | 1, 13 | Microsoft-Windows-Sysmon | +| Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action | intermediate | 64 | | +| Suspicious Cmd File Copy Command To Network Share | intermediate | 30 | Microsoft-Windows-Kernel-File | | SOCKS Tunneling Tool | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious CodePage Switch with CHCP | intermediate | 1 | Microsoft-Windows-Sysmon | +| Suspicious Taskkill Command | intermediate | 1 | Microsoft-Windows-Sysmon | | Suspicious DLL side loading from ProgramData | intermediate | 7 | Microsoft-Windows-Sysmon | -| Powershell UploadString Function | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Commands From MS SQL Server Shell | intermediate | 1 | Microsoft-Windows-Sysmon | -| Network Sniffing Windows | intermediate | 1, 5 | Microsoft-Windows-Sysmon | -| CertOC Loading Dll | intermediate | 1 | Kernel-Process | -| Venom Multi-hop Proxy agent detection | intermediate | 1 | Kernel-Process | +| QakBot Process Creation | intermediate | 1 | Microsoft-Windows-Sysmon | +| Network Connection Via Certutil | intermediate | 3 | Microsoft-Windows-Sysmon | +| SolarWinds Wrong Child Process | intermediate | 1 | Microsoft-Windows-Sysmon | +| Successful Overpass The Hash Attempt | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| NTDS.dit File Interaction Through Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | +| Impacket Secretsdump.py Tool | intermediate | 5145 | Microsoft-Windows-Security-Auditing | +| PowerShell Execution Via Rundll32 | intermediate | 1 | Microsoft-Windows-Sysmon | +| Microsoft Office Spawning Script | intermediate | 1 | Microsoft-Windows-Sysmon | +| Ryuk Ransomware Persistence Registry Key | intermediate | 1, 13 | Microsoft-Windows-Sysmon | +| Suspicious Hostname | intermediate | 4624 | Microsoft-Windows-Security-Auditing | +| Microsoft Defender Antivirus Disable Services | intermediate | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Suspicious PowerShell Invocations - Generic | intermediate | 1 | Microsoft-Windows-Sysmon | +| Capture a network trace with netsh.exe | intermediate | 1 | Microsoft-Windows-Sysmon | | Wmic Process Call Creation | intermediate | 1 | Microsoft-Windows-Sysmon | -| BazarLoader Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | -| Ngrok Process Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| Password Change On Directory Service Restore Mode (DSRM) Account | intermediate | 4794 | Microsoft-Windows-Security-Auditing | | MOFComp Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| GPO Executable Delivery | intermediate | 5136 | Microsoft-Windows-Security-Auditing | -| DCSync Attack | intermediate | 4662 | Microsoft-Windows-Security-Auditing | -| Credential Dumping Tools Service Execution | intermediate | 7045 | Service Control Manager | -| Microsoft 365 (Office 365) AtpDetection | intermediate | 47 | | -| COM Hijack Via Sdclt | intermediate | 1 | Microsoft-Windows-Sysmon | -| Exfiltration Domain In Command Line | intermediate | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 Email Forwarding To Consumer Email Address | intermediate | 1 | | -| Qakbot Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | -| DPAPI Domain Backup Key Extraction | intermediate | 4662 | Microsoft-Windows-Security-Auditing | -| Microsoft 365 (Office 365) Malware Uploaded On SharePoint | intermediate | 6 | | -| DHCP Callout DLL Installation | intermediate | 13 | Microsoft-Windows-Sysmon | -| MalwareBytes Uninstallation | intermediate | 1 | Microsoft-Windows-Sysmon | -| Searchprotocolhost Child Found | intermediate | 1 | Microsoft-Windows-Sysmon | -| UAC Bypass via Event Viewer | intermediate | 13 | Microsoft-Windows-Sysmon | -| StoneDrill Service Install | intermediate | 7045 | Service Control Manager | | Suspicious Process Requiring DLL Starts Without DLL | intermediate | 1 | Microsoft-Windows-Sysmon | -| SquirrelWaffle Malspam Execution Loading DLL | intermediate | 1 | Microsoft-Windows-Sysmon | -| Sysprep On AppData Folder | intermediate | 1 | Microsoft-Windows-Sysmon | -| MMC20 Lateral Movement | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Windows Installer Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| Hijack Legit RDP Session To Move Laterally | intermediate | 11 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Threat Detected | intermediate | 1006, 1007, 1008, 1015, 1116, 1117, 1118, 1119, 1125, 1126 | Microsoft-Windows-Windows Defender | | Microsoft Defender Antivirus Restoration Abuse | intermediate | 1 | Microsoft-Windows-Sysmon | -| Spyware Persistence Using Schtasks | intermediate | 1 | Microsoft-Windows-Sysmon | -| WMIC Uninstall Product | intermediate | 1 | Microsoft-Windows-Sysmon | -| Creation or Modification of a GPO Scheduled Task | intermediate | 5145 | Microsoft-Windows-Security-Auditing | -| Suspicious Mshta Execution From Wmi | intermediate | 1 | Microsoft-Windows-Sysmon | -| Suspicious Outlook Child Process | intermediate | 4688 | Microsoft-Windows-Security-Auditing | -| Suspicious Mshta Execution | intermediate | 1 | Microsoft-Windows-Sysmon | -| WMImplant Hack Tool | intermediate | 4104 | Microsoft-Windows-PowerShell | -| Exchange Server Spawning Suspicious Processes | intermediate | 1 | Microsoft-Windows-Sysmon | -| CMSTP Execution | intermediate | 1 | Microsoft-Windows-Sysmon | +| UAC Bypass Using Fodhelper | intermediate | 13 | Microsoft-Windows-Sysmon | +| DHCP Server Loaded the CallOut DLL | intermediate | 1033 | | +| Disable Task Manager Through Registry Key | elementary | 1, 13 | Microsoft-Windows-Sysmon | +| Microsoft Defender for Office 365 Medium Severity AIR Alert | elementary | 64 | | +| Antivirus Relevant File Paths Alerts | elementary | 1116 | Microsoft-Windows-Windows Defender | +| Security Support Provider (SSP) Added to LSA Configuration | elementary | 13 | Microsoft-Windows-Sysmon | +| Antivirus Web Shell Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | +| Windows Update LolBins | elementary | 1 | Microsoft-Windows-Sysmon | +| RTLO Character | elementary | 15 | Microsoft-Windows-Sysmon | +| Phosphorus (APT35) Exchange Discovery | elementary | 4104 | Microsoft-Windows-PowerShell | | Smbexec.py Service Installation | elementary | 6, 4697, 7045 | Service Control Manager | -| Disable Task Manager Through Registry Key | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Microsoft 365 Suspicious Inbox Rule | elementary | 1 | | -| Dumpert LSASS Process Dumper | elementary | 7, 11 | Microsoft-Windows-Sysmon | -| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | 1 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | 1 | Microsoft-Windows-Sysmon | -| Lazarus Loaders | elementary | 1 | Microsoft-Windows-Sysmon | +| Wdigest Enable UseLogonCredential | elementary | 1, 13 | Microsoft-Windows-Sysmon | +| RedMimicry Winnti Playbook Dropped File | elementary | 11 | Microsoft-Windows-Sysmon | +| WMI Persistence Command Line Event Consumer | elementary | 7 | Microsoft-Windows-Sysmon | +| WMI Install Of Binary | elementary | 1 | Microsoft-Windows-Sysmon | +| Microsoft Office Startup Add-In | elementary | 11 | Microsoft-Windows-Sysmon | +| Antivirus Password Dumper Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | +| Suspicious VBS Execution Parameter | elementary | 1 | Microsoft-Windows-Sysmon | +| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | 4104 | Microsoft-Windows-PowerShell | +| DNS Tunnel Technique From MuddyWater | elementary | 1 | Microsoft-Windows-Sysmon | +| Domain Trust Discovery Through LDAP | elementary | 1, 4688 | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon | +| Leviathan Registry Key Activity | elementary | 1, 13 | Microsoft-Windows-Sysmon | | Cobalt Strike Default Service Creation Usage | elementary | 4697, 7045 | Microsoft-Windows-Security-Auditing, Service Control Manager | +| Copying Sensitive Files With Credential Data | elementary | 1 | Microsoft-Windows-Sysmon | | Microsoft Defender Antivirus History Directory Deleted | elementary | 1 | Microsoft-Windows-Sysmon | -| PowerShell Downgrade Attack | elementary | 1 | Microsoft-Windows-Sysmon | +| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT | +| Antivirus Exploitation Framework Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | +| Mustang Panda Dropper | elementary | 1 | Microsoft-Windows-Sysmon | +| Office Application Startup Office Test | elementary | 1, 13 | Microsoft-Windows-Sysmon | +| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | 1, 13, 17, 4697, 7045 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager | | Disable Workstation Lock | elementary | 13 | Microsoft-Windows-Sysmon | -| Credential Dumping By LaZagne | elementary | 10 | Microsoft-Windows-Sysmon | -| Malspam Execution Registering Malicious DLL | elementary | 1, 11 | Microsoft-Windows-Sysmon | -| WMI Install Of Binary | elementary | 1 | Microsoft-Windows-Sysmon | -| Active Directory Shadow Credentials | elementary | 5136 | Microsoft-Windows-Security-Auditing | -| Winword Document Droppers | elementary | 1 | Microsoft-Windows-Sysmon | -| Elise Backdoor | elementary | 1 | Microsoft-Windows-Sysmon | -| AdFind Usage | elementary | 1 | Microsoft-Windows-Sysmon | -| Windows Update LolBins | elementary | 1 | Microsoft-Windows-Sysmon | -| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | 1 | | -| Schtasks Persistence With High Privileges | elementary | 1 | Microsoft-Windows-Sysmon | -| FlowCloud Malware | elementary | 13 | Microsoft-Windows-Sysmon | -| Leviathan Registry Key Activity | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Copying Browser Files With Credentials | elementary | 1 | Microsoft-Windows-Sysmon | +| Suncrypt Parameters | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | | Blue Mockingbird Malware | elementary | 1 | Microsoft-Windows-Sysmon | -| Phorpiex Process Masquerading | elementary | 1 | Microsoft-Windows-Sysmon | -| Msdt (Follina) File Browse Process Execution | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Security Support Provider (SSP) Added to LSA Configuration | elementary | 13 | Microsoft-Windows-Sysmon | -| Raccine Uninstall | elementary | 1 | Microsoft-Windows-Sysmon | +| Netsh RDP Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon | +| Lazarus Loaders | elementary | 1 | Microsoft-Windows-Sysmon | | Microsoft 365 Sign-in With No User Agent | elementary | 15 | | +| Microsoft Defender for Office 365 High Severity AIR Alert | elementary | 64 | | +| Invoke-TheHash Commandlets | elementary | 4104 | Microsoft-Windows-PowerShell | +| Microsoft Defender Antivirus Signatures Removed With MpCmdRun | elementary | 1 | Microsoft-Windows-Sysmon | +| UAC Bypass Via Sdclt | elementary | 1, 13 | Microsoft-Windows-Sysmon | +| PasswordDump SecurityXploded Tool | elementary | 1 | Microsoft-Windows-Sysmon | +| Audit CVE Event | elementary | 1 | Microsoft-Windows-Audit-CVE | +| RedMimicry Winnti Playbook Registry Manipulation | elementary | 1, 13 | Microsoft-Windows-Sysmon | +| Netsh Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon | +| Active Directory Shadow Credentials | elementary | 5136 | Microsoft-Windows-Security-Auditing | +| RYUK Ransomeware - martinstevens Username | elementary | 4103 | Microsoft-Windows-PowerShell | +| Mshta JavaScript Execution | elementary | 1 | Microsoft-Windows-Sysmon | +| Malspam Execution Registering Malicious DLL | elementary | 1, 11 | Microsoft-Windows-Sysmon | +| IcedID Execution Using Excel | elementary | 1 | Microsoft-Windows-Sysmon | +| Microsoft Defender Antivirus Disabled Base64 Encoded | elementary | 1 | Microsoft-Windows-Sysmon | +| Credential Dumping By LaZagne | elementary | 10 | Microsoft-Windows-Sysmon | +| Raccine Uninstall | elementary | 1 | Microsoft-Windows-Sysmon | +| Process Memory Dump Using Createdump | elementary | 1 | Kernel-Process | +| Process Memory Dump Using Rdrleakdiag | elementary | 5 | Kernel-Process | +| Microsoft 365 Suspicious Inbox Rule | elementary | 1 | | +| Phorpiex Process Masquerading | elementary | 1 | Microsoft-Windows-Sysmon | +| Ursnif Registry Key | elementary | 13 | Microsoft-Windows-Sysmon | +| Malicious Service Installations | elementary | 4697, 7045 | Service Control Manager | +| PowerShell Downgrade Attack | elementary | 1 | Microsoft-Windows-Sysmon | | Debugging Software Deactivation | elementary | 1 | Microsoft-Windows-Sysmon | -| Impacket Wmiexec Module | elementary | 1 | Microsoft-Windows-Sysmon | +| Dumpert LSASS Process Dumper | elementary | 7, 11 | Microsoft-Windows-Sysmon | | Mimikatz Basic Commands | elementary | 4103 | Microsoft-Windows-PowerShell | -| Suspicious HWP Child Process | elementary | 1 | Microsoft-Windows-Sysmon | -| IcedID Execution Using Excel | elementary | 1 | Microsoft-Windows-Sysmon | -| Netsh RDP Port Forwarding | elementary | 1 | Microsoft-Windows-Sysmon | -| Process Memory Dump Using Comsvcs | elementary | 1 | Microsoft-Windows-Sysmon | -| Wdigest Enable UseLogonCredential | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Antivirus Web Shell Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | -| Active Directory Database Dump Via Ntdsutil | elementary | 325 | ESENT | -| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | 8 | | -| Turla Named Pipes | elementary | 17 | Microsoft-Windows-Sysmon | -| DNS Tunnel Technique From MuddyWater | elementary | 1 | Microsoft-Windows-Sysmon | -| ICacls Granting Access To All | elementary | 1 | Microsoft-Windows-Sysmon | -| PasswordDump SecurityXploded Tool | elementary | 1 | Microsoft-Windows-Sysmon | -| RedMimicry Winnti Playbook Dropped File | elementary | 11 | Microsoft-Windows-Sysmon | | Empire Monkey Activity | elementary | 1 | Microsoft-Windows-Sysmon | -| Exploit For CVE-2015-1641 | elementary | 1 | Microsoft-Windows-Sysmon | -| SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | 4704 | Microsoft-Windows-Security-Auditing | -| Mustang Panda Dropper | elementary | 1 | Microsoft-Windows-Sysmon | -| CVE-2019-0708 Scan | elementary | 4625 | Microsoft-Windows-Security-Auditing | -| Copying Sensitive Files With Credential Data | elementary | 1 | Microsoft-Windows-Sysmon | -| Domain Trust Discovery Through LDAP | elementary | 1, 4688 | Microsoft-REDACTED-Security-Auditing, Microsoft-Windows-Sysmon | -| TrustedInstaller Impersonation | elementary | 4104 | Microsoft-Windows-PowerShell | -| Malicious Service Installations | elementary | 4697, 7045 | Service Control Manager | | Ryuk Ransomware Command Line | elementary | 1 | Microsoft-Windows-Sysmon | -| RedMimicry Winnti Playbook Registry Manipulation | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Suspicious Headless Web Browser Execution To Download File | elementary | 5 | Kernel-Process | -| Equation Group DLL_U Load | elementary | 1 | Microsoft-Windows-Sysmon | -| PowerShell AMSI Deactivation Bypass Using .NET Reflection | elementary | 4104 | Microsoft-Windows-PowerShell | -| Antivirus Password Dumper Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | -| Suspicious Netsh DLL Persistence | elementary | 1 | Microsoft-Windows-Sysmon | -| SysKey Registry Keys Access | elementary | 4656, 4663 | Microsoft-Windows-Security-Auditing | -| UAC Bypass Via Sdclt | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Microsoft Defender for Office 365 Medium Severity AIR Alert | elementary | 64 | | -| Antivirus Exploitation Framework Detection | elementary | 1116 | Microsoft-Windows-Windows Defender | -| Phorpiex DriveMgr Command | elementary | 1 | Microsoft-Windows-Sysmon | -| Suspicious VBS Execution Parameter | elementary | 1 | Microsoft-Windows-Sysmon | -| Office Application Startup Office Test | elementary | 1, 13 | Microsoft-Windows-Sysmon | -| Phosphorus (APT35) Exchange Discovery | elementary | 4104 | Microsoft-Windows-PowerShell | +| Exploit For CVE-2015-1641 | elementary | 1 | Microsoft-Windows-Sysmon | | Suspicious Windows ANONYMOUS LOGON Local Account Created | elementary | 4720 | Microsoft-Windows-Security-Auditing | -| Invoke-TheHash Commandlets | elementary | 4104 | Microsoft-Windows-PowerShell | -| Windows Credential Editor Registry Key | elementary | 13 | Microsoft-Windows-Sysmon | +| Phorpiex DriveMgr Command | elementary | 1 | Microsoft-Windows-Sysmon | +| SysKey Registry Keys Access | elementary | 4656, 4663 | Microsoft-Windows-Security-Auditing | +| Elise Backdoor | elementary | 1 | Microsoft-Windows-Sysmon | +| Suspicious Netsh DLL Persistence | elementary | 1 | Microsoft-Windows-Sysmon | +| Copying Browser Files With Credentials | elementary | 1 | Microsoft-Windows-Sysmon | +| ICacls Granting Access To All | elementary | 1 | Microsoft-Windows-Sysmon | +| Suspicious Headless Web Browser Execution To Download File | elementary | 5 | Kernel-Process | +| HackTools Suspicious Names | elementary | 5, 11 | Microsoft-Windows-Kernel-File, Microsoft-Windows-Sysmon | +| Suspicious HWP Child Process | elementary | 1 | Microsoft-Windows-Sysmon | | Sticky Key Like Backdoor Usage | elementary | 13 | Microsoft-Windows-Sysmon | -| Process Memory Dump Using Createdump | elementary | 1 | Kernel-Process | -| Microsoft Defender for Office 365 High Severity AIR Alert | elementary | 64 | | -| Suncrypt Parameters | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | -| Meterpreter or Cobalt Strike Getsystem Service Installation | elementary | 1, 13, 17, 4697, 7045 | Microsoft-Windows-Security-Auditing, Microsoft-Windows-Sysmon, Service Control Manager | -| APT29 Fake Google Update Service Install | elementary | 7045 | Service Control Manager | -| WMI Persistence Command Line Event Consumer | elementary | 7 | Microsoft-Windows-Sysmon | -| Audit CVE Event | elementary | 1 | Microsoft-Windows-Audit-CVE | -| Process Memory Dump Using Rdrleakdiag | elementary | 5 | Kernel-Process | -| RTLO Character | elementary | 15 | Microsoft-Windows-Sysmon | -| Microsoft Office Startup Add-In | elementary | 11 | Microsoft-Windows-Sysmon | -| Microsoft Defender Antivirus Disabled Base64 Encoded | elementary | 1 | Microsoft-Windows-Sysmon | +| Schtasks Persistence With High Privileges | elementary | 1 | Microsoft-Windows-Sysmon | +| Equation Group DLL_U Load | elementary | 1 | Microsoft-Windows-Sysmon | +| FlowCloud Malware | elementary | 13 | Microsoft-Windows-Sysmon | +| Microsoft Entra ID (Azure AD) Domain Trust Modification | elementary | 8 | | +| Turla Named Pipes | elementary | 17 | Microsoft-Windows-Sysmon | +| TrustedInstaller Impersonation | elementary | 4104 | Microsoft-Windows-PowerShell | +| Microsoft 365 Email Forwarding To Privacy Email Address | elementary | 1 | | +| Exploited CVE-2020-10189 Zoho ManageEngine | elementary | 1 | Microsoft-Windows-Sysmon | | OneNote Suspicious Children Process | elementary | 1, 15 | Microsoft-Windows-Sysmon | -| Ursnif Registry Key | elementary | 13 | Microsoft-Windows-Sysmon | -| Mshta JavaScript Execution | elementary | 1 | Microsoft-Windows-Sysmon | -| RYUK Ransomeware - martinstevens Username | elementary | 4103 | Microsoft-Windows-PowerShell | -| Antivirus Relevant File Paths Alerts | elementary | 1116 | Microsoft-Windows-Windows Defender | +| APT29 Fake Google Update Service Install | elementary | 7045 | Service Control Manager | +| AdFind Usage | elementary | 1 | Microsoft-Windows-Sysmon | +| SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory | elementary | 4704 | Microsoft-Windows-Security-Auditing | +| Winword Document Droppers | elementary | 1 | Microsoft-Windows-Sysmon | +| Windows Credential Editor Registry Key | elementary | 13 | Microsoft-Windows-Sysmon | +| Msdt (Follina) File Browse Process Execution | elementary | 1, 4104 | Microsoft-Windows-PowerShell, Microsoft-Windows-Sysmon | +| Impacket Wmiexec Module | elementary | 1 | Microsoft-Windows-Sysmon | +| CVE-2019-0708 Scan | elementary | 4625 | Microsoft-Windows-Security-Auditing | | Outlook Registry Access | elementary | 1 | Microsoft-Windows-Sysmon | +| Process Memory Dump Using Comsvcs | elementary | 1 | Microsoft-Windows-Sysmon | ## EventIDs occurences in rules -| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 447) | +| EventID | Number of rules concerned | Percentage of rules concerned (Total rules: 449) | | ------- | ------------------------- | ------------------------------------------------------ | -| 1 | 220 | 49.22 % | -| 13 | 45 | 10.07 % | -| 4104 | 43 | 9.62 % | -| 11 | 20 | 4.47 % | -| 7 | 15 | 3.36 % | -| 5 | 15 | 3.36 % | -| 7045 | 11 | 2.46 % | -| 5145 | 11 | 2.46 % | -| 4656 | 8 | 1.79 % | -| 3 | 7 | 1.57 % | -| 4688 | 7 | 1.57 % | -| 15 | 7 | 1.57 % | -| 4697 | 6 | 1.34 % | +| 1 | 221 | 49.22 % | +| 13 | 45 | 10.02 % | +| 4104 | 43 | 9.58 % | +| 11 | 20 | 4.45 % | +| 5 | 15 | 3.34 % | +| 7 | 15 | 3.34 % | +| 7045 | 11 | 2.45 % | +| 5145 | 11 | 2.45 % | +| 4656 | 8 | 1.78 % | +| 15 | 7 | 1.56 % | +| 4688 | 7 | 1.56 % | +| 3 | 7 | 1.56 % | | 98 | 6 | 1.34 % | -| 10 | 6 | 1.34 % | | 5136 | 6 | 1.34 % | | 4663 | 6 | 1.34 % | -| 4662 | 6 | 1.34 % | +| 10 | 6 | 1.34 % | +| 4697 | 6 | 1.34 % | | 17 | 6 | 1.34 % | -| 4624 | 5 | 1.12 % | -| 1116 | 5 | 1.12 % | -| 22 | 4 | 0.89 % | +| 4662 | 6 | 1.34 % | +| 1116 | 5 | 1.11 % | +| 4624 | 5 | 1.11 % | | 64 | 4 | 0.89 % | +| 22 | 4 | 0.89 % | | 4103 | 4 | 0.89 % | | 6 | 3 | 0.67 % | | 12 | 3 | 0.67 % | | 4720 | 3 | 0.67 % | | 4625 | 3 | 0.67 % | -| 4729 | 2 | 0.45 % | +| 1033 | 2 | 0.45 % | +| 25 | 2 | 0.45 % | +| 5007 | 2 | 0.45 % | | 4728 | 2 | 0.45 % | -| 30 | 2 | 0.45 % | +| 4729 | 2 | 0.45 % | | 8 | 2 | 0.45 % | +| 30 | 2 | 0.45 % | | 20 | 2 | 0.45 % | -| 5007 | 2 | 0.45 % | -| 25 | 2 | 0.45 % | -| 4661 | 1 | 0.22 % | +| 770 | 1 | 0.22 % | +| 771 | 1 | 0.22 % | +| 150 | 1 | 0.22 % | +| 4732 | 1 | 0.22 % | +| 1032 | 1 | 0.22 % | +| 1034 | 1 | 0.22 % | +| 1031 | 1 | 0.22 % | | 5154 | 1 | 0.22 % | | 4754 | 1 | 0.22 % | | 4756 | 1 | 0.22 % | @@ -507,32 +516,46 @@ The colors of the EventIDs in this page should be interpreted as follow: | 4727 | 1 | 0.22 % | | 4730 | 1 | 0.22 % | | 4764 | 1 | 0.22 % | -| 4658 | 1 | 0.22 % | -| 4743 | 1 | 0.22 % | +| 4794 | 1 | 0.22 % | +| 4611 | 1 | 0.22 % | | 4706 | 1 | 0.22 % | | 4707 | 1 | 0.22 % | +| 325 | 1 | 0.22 % | | 1013 | 1 | 0.22 % | -| 1033 | 1 | 0.22 % | +| 4658 | 1 | 0.22 % | +| 517 | 1 | 0.22 % | +| 1102 | 1 | 0.22 % | | 8001 | 1 | 0.22 % | +| 6416 | 1 | 0.22 % | +| 4657 | 1 | 0.22 % | +| 40 | 1 | 0.22 % | +| 4674 | 1 | 0.22 % | +| 524 | 1 | 0.22 % | +| 4799 | 1 | 0.22 % | +| 1000 | 1 | 0.22 % | +| 4673 | 1 | 0.22 % | +| 4825 | 1 | 0.22 % | +| 19 | 1 | 0.22 % | +| 21 | 1 | 0.22 % | +| 4776 | 1 | 0.22 % | +| 5156 | 1 | 0.22 % | +| 16 | 1 | 0.22 % | | 27 | 1 | 0.22 % | +| 4743 | 1 | 0.22 % | | 4738 | 1 | 0.22 % | -| 16 | 1 | 0.22 % | -| 5156 | 1 | 0.22 % | -| 40 | 1 | 0.22 % | +| 4661 | 1 | 0.22 % | | 4742 | 1 | 0.22 % | -| 4657 | 1 | 0.22 % | -| 325 | 1 | 0.22 % | -| 1000 | 1 | 0.22 % | -| 1032 | 1 | 0.22 % | -| 1034 | 1 | 0.22 % | -| 1031 | 1 | 0.22 % | +| 47 | 1 | 0.22 % | | 4649 | 1 | 0.22 % | +| 4726 | 1 | 0.22 % | +| 5140 | 1 | 0.22 % | | 4704 | 1 | 0.22 % | -| 4732 | 1 | 0.22 % | -| 6416 | 1 | 0.22 % | -| 4611 | 1 | 0.22 % | -| 524 | 1 | 0.22 % | -| 4825 | 1 | 0.22 % | +| 1127 | 1 | 0.22 % | +| 5001 | 1 | 0.22 % | +| 5101 | 1 | 0.22 % | +| 5010 | 1 | 0.22 % | +| 5012 | 1 | 0.22 % | +| 2013 | 1 | 0.22 % | | 1125 | 1 | 0.22 % | | 1126 | 1 | 0.22 % | | 1006 | 1 | 0.22 % | @@ -542,56 +565,35 @@ The colors of the EventIDs in this page should be interpreted as follow: | 1117 | 1 | 0.22 % | | 1118 | 1 | 0.22 % | | 1119 | 1 | 0.22 % | -| 517 | 1 | 0.22 % | -| 1102 | 1 | 0.22 % | -| 4726 | 1 | 0.22 % | -| 19 | 1 | 0.22 % | -| 21 | 1 | 0.22 % | -| 4799 | 1 | 0.22 % | -| 5140 | 1 | 0.22 % | -| 4776 | 1 | 0.22 % | -| 4794 | 1 | 0.22 % | -| 47 | 1 | 0.22 % | -| 1127 | 1 | 0.22 % | -| 5001 | 1 | 0.22 % | -| 5101 | 1 | 0.22 % | -| 5010 | 1 | 0.22 % | -| 5012 | 1 | 0.22 % | -| 2013 | 1 | 0.22 % | -| 770 | 1 | 0.22 % | -| 771 | 1 | 0.22 % | -| 150 | 1 | 0.22 % | -| 4674 | 1 | 0.22 % | -| 4673 | 1 | 0.22 % | ## EventProviders occurences in rules -| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 447) | +| EventProvider | Number of rules concerned | Percentage of rules concerned (Total rules: 449) | | ------- | ------------------------- | ------------------------------------------------------ | -| Microsoft-Windows-Sysmon | 290 | 64.88 % | -| Microsoft-Windows-Security-Auditing | 69 | 15.44 % | -| Microsoft-Windows-PowerShell | 47 | 10.51 % | -| Kernel-Process | 20 | 4.47 % | -| Service Control Manager | 11 | 2.46 % | -| Microsoft-Windows-Windows Defender | 9 | 2.01 % | +| Microsoft-Windows-Sysmon | 292 | 65.03 % | +| Microsoft-Windows-Security-Auditing | 69 | 15.37 % | +| Microsoft-Windows-PowerShell | 47 | 10.47 % | +| Kernel-Process | 20 | 4.45 % | +| Service Control Manager | 11 | 2.45 % | +| Microsoft-Windows-Windows Defender | 9 | 2.0 % | | Microsoft-Windows-Kernel-File | 4 | 0.89 % | -| Microsoft-Windows-DHCP-Server | 2 | 0.45 % | -| Microsoft-Windows-Kernel-Network | 1 | 0.22 % | -| Microsoft-Windows-NTLM | 1 | 0.22 % | -| Microsoft-Windows-Kernel-Process | 1 | 0.22 % | -| Microsoft-Windows-Kernel-General | 1 | 0.22 % | -| ESENT | 1 | 0.22 % | -| Application Error | 1 | 0.22 % | -| Microsoft-Windows-Backup | 1 | 0.22 % | +| Microsoft-Windows-DNS-Server-Service | 1 | 0.22 % | +| Microsoft-Windows-DHCP-Server | 1 | 0.22 % | | Microsoft-REDACTED-Security-Auditing | 1 | 0.22 % | +| ESENT | 1 | 0.22 % | | Microsoft-Windows-Eventlog | 1 | 0.22 % | -| Microsoft-Windows-DNS-Client | 1 | 0.22 % | -| Microsoft-Windows-DNS-Server-Service | 1 | 0.22 % | +| Microsoft-Windows-NTLM | 1 | 0.22 % | | Microsoft-Windows-Audit-CVE | 1 | 0.22 % | +| Microsoft-Windows-Kernel-Network | 1 | 0.22 % | +| Microsoft-Windows-Backup | 1 | 0.22 % | +| Application Error | 1 | 0.22 % | +| Microsoft-Windows-DNS-Client | 1 | 0.22 % | +| Microsoft-Windows-Kernel-General | 1 | 0.22 % | +| Microsoft-Windows-Kernel-Process | 1 | 0.22 % | ## EffortLevel x EventIDs -| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 447 | +| Effort Level | EventIDs | Number of related rules | Percentage of related rules (Total rules: 449 | | ------------ | -------- | ----------------------- | ------------------------------------------------------- | -| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4727, 4728, 4729, 4730, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 7, 770, 771, 8001, 98 | 79 | 17.67 % | -| advanced | 1, 10, 11, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 64, 6416, 7, 7045, 8 | 107 | 23.94 % | -| intermediate | 1, 10, 1000, 1006, 1007, 1008, 1015, 1031, 1032, 1033, 1034, 11, 1102, 1116, 1117, 1118, 1119, 1125, 1126, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4732, 4738, 4742, 4794, 4825, 5, 5136, 5145, 517, 524, 6, 64, 7, 7045 | 170 | 38.03 % | -| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 5, 5136, 6, 64, 7, 7045, 8 | 91 | 20.36 % | \ No newline at end of file +| master | 1, 10, 1013, 11, 12, 13, 15, 150, 17, 22, 25, 27, 3, 40, 4104, 4611, 4624, 4625, 4656, 4661, 4662, 4663, 4673, 4674, 4720, 4726, 4727, 4728, 4729, 4730, 4743, 4754, 4756, 4757, 4758, 4764, 5007, 5140, 5145, 7, 770, 771, 8001, 98 | 79 | 17.59 % | +| advanced | 1, 10, 11, 1127, 13, 15, 17, 19, 20, 2013, 21, 22, 3, 4103, 4104, 4624, 4625, 4656, 4662, 4688, 4706, 4707, 4776, 4799, 5, 5001, 5010, 5012, 5101, 5136, 5145, 5154, 5156, 64, 6416, 7, 7045, 8 | 107 | 23.83 % | +| intermediate | 1, 10, 1000, 1006, 1007, 1008, 1015, 1031, 1032, 1033, 1034, 11, 1102, 1116, 1117, 1118, 1119, 1125, 1126, 12, 13, 15, 16, 17, 20, 22, 3, 30, 4103, 4104, 4624, 4649, 4656, 4657, 4658, 4662, 4663, 4688, 4697, 47, 4720, 4732, 4738, 4742, 4794, 4825, 5, 5136, 5145, 517, 524, 6, 64, 7, 7045 | 170 | 37.86 % | +| elementary | 1, 10, 11, 1116, 13, 15, 17, 325, 4103, 4104, 4625, 4656, 4663, 4688, 4697, 4704, 4720, 5, 5136, 6, 64, 7, 7045, 8 | 93 | 20.71 % | \ No newline at end of file