From 80dad1ef67b8a524d04ed8dc0c19221370cfb2eb Mon Sep 17 00:00:00 2001 From: GuillaumeCSekoia Date: Tue, 7 Nov 2023 10:20:23 +0000 Subject: [PATCH] Refresh Built-in detection rules documentation --- ...f5e-a585fc7c8fc0_do_not_edit_manually.json | 2 +- ...41e-af269b45bef1_do_not_edit_manually.json | 2 +- ...7d1-588319e39d71_do_not_edit_manually.json | 2 +- ...5c4-c8174c307e48_do_not_edit_manually.json | 2 +- ...575-9e43af779f9f_do_not_edit_manually.json | 2 +- ...5e2-4597e366b8c4_do_not_edit_manually.json | 2 +- ...02e-e88fe2193365_do_not_edit_manually.json | 2 +- ...803-e7990afe78b6_do_not_edit_manually.json | 2 +- ...b17-90c0be6b1f10_do_not_edit_manually.json | 2 +- ...9b6-76bf5298a617_do_not_edit_manually.json | 2 +- ...fbd-01e3fac01cd5_do_not_edit_manually.json | 2 +- ...c24-2d7129137688_do_not_edit_manually.json | 2 +- ...13a-f8dd48cddc8c_do_not_edit_manually.json | 2 +- ...46b-974354a107bb_do_not_edit_manually.json | 2 +- ...cfd-43f7d9595777_do_not_edit_manually.json | 2 +- ...d19-67edc91fb063_do_not_edit_manually.json | 2 +- ...e06-7b335e439c29_do_not_edit_manually.json | 2 +- ...916-636c27ba4931_do_not_edit_manually.json | 2 +- ...b02-e72f870fcbd1_do_not_edit_manually.json | 2 +- ...901-b7fadfb0ba48_do_not_edit_manually.json | 2 +- ...038-3f7d5a3b8b11_do_not_edit_manually.json | 2 +- ...00a-2b58303cac90_do_not_edit_manually.json | 2 +- ...e47-1574946412b6_do_not_edit_manually.json | 2 +- ...750-5db882ea1266_do_not_edit_manually.json | 2 +- ...033-6f1f887a70f2_do_not_edit_manually.json | 2 +- ...597-d2944a601930_do_not_edit_manually.json | 2 +- ...6bd-91a447bb26bd_do_not_edit_manually.json | 2 +- ...f3b-f73a622c9687_do_not_edit_manually.json | 2 +- ...c99-5c2de7e1d340_do_not_edit_manually.json | 2 +- ...4fa-28d6c1f2e2a8_do_not_edit_manually.json | 2 +- ...d69-684a0b3835fc_do_not_edit_manually.json | 2 +- ...d60-8fd5e39140b3_do_not_edit_manually.json | 2 +- ...109-c6d85b91bbcf_do_not_edit_manually.json | 2 +- ...703-7452882e70da_do_not_edit_manually.json | 2 +- ...2ff-0e1cde564161_do_not_edit_manually.json | 2 +- ...f81-30df7b1963a0_do_not_edit_manually.json | 2 +- ...e09-44d31626b694_do_not_edit_manually.json | 2 +- ...28f-3ee3cd5b9a8e_do_not_edit_manually.json | 2 +- ...47b-ef64dd87c981_do_not_edit_manually.json | 2 +- ...746-b2b9f366e34b_do_not_edit_manually.json | 2 +- ...780-b225c59e9f99_do_not_edit_manually.json | 2 +- ...1f3-49e3993c16f5_do_not_edit_manually.json | 2 +- ...f2d-eed5013fe463_do_not_edit_manually.json | 2 +- ...60f-2d3fd0b46987_do_not_edit_manually.json | 2 +- ...c15-3828627ba899_do_not_edit_manually.json | 2 +- ...5de-5c2722fa020e_do_not_edit_manually.json | 2 +- ...b6d-3f79045f28fa_do_not_edit_manually.json | 2 +- ...cbb-bc830118c1f9_do_not_edit_manually.json | 2 +- ...b3d-b7cb7b7db618_do_not_edit_manually.json | 2 +- ...079-3dd25d472e0a_do_not_edit_manually.json | 2 +- ...b6f-a8e4dcac3d1d_do_not_edit_manually.json | 2 +- ...f1d-772e9a30f0dd_do_not_edit_manually.json | 2 +- ...bcc-45fd108ba1be_do_not_edit_manually.json | 2 +- ...90d-9af2f7be7019_do_not_edit_manually.json | 2 +- ...76c-408472fcfebb_do_not_edit_manually.json | 2 +- ...060-a9d9f2d270db_do_not_edit_manually.json | 2 +- ...afa-595bd430c0cb_do_not_edit_manually.json | 2 +- ...e37-842703494be0_do_not_edit_manually.json | 2 +- ...ae5-aa67d2f29fcb_do_not_edit_manually.json | 2 +- ...79a-f97be24cc02d_do_not_edit_manually.json | 2 +- ...e56-0242ac120002_do_not_edit_manually.json | 2 +- ...763-aad3451821e5_do_not_edit_manually.json | 2 +- ...0ce-dbcae04eaf26_do_not_edit_manually.json | 2 +- ...b7a-4f2d0a518b04_do_not_edit_manually.json | 2 +- ...5aa-2a6a900df99b_do_not_edit_manually.json | 2 +- ...43e-9848cadb1f99_do_not_edit_manually.json | 2 +- ...844-f7f4d7348199_do_not_edit_manually.json | 2 +- ...847-983f38efb8ff_do_not_edit_manually.json | 2 +- ...602-a5994544d9ed_do_not_edit_manually.json | 2 +- ...f71-46155af56570_do_not_edit_manually.json | 2 +- ...15f-1f83807ff3cc_do_not_edit_manually.json | 2 +- ...659-4cb814431e29_do_not_edit_manually.json | 2 +- ...fa0-c63661820941_do_not_edit_manually.json | 2 +- ...9c5-e075f3fb3216_do_not_edit_manually.json | 2 +- ...e89-f2b8be4baf4e_do_not_edit_manually.json | 2 +- ...8ed-b7fb3d7fa232_do_not_edit_manually.json | 2 +- ...785-c1276277b5d7_do_not_edit_manually.json | 2 +- ...e0e-ca4e6cecf7e6_do_not_edit_manually.json | 2 +- ...af5-b69c7b679887_do_not_edit_manually.json | 2 +- ...cb6-2f574bd4ce51_do_not_edit_manually.json | 2 +- ...399-ddd992d48472_do_not_edit_manually.json | 2 +- ...c2d-e2cfa46bf0e5_do_not_edit_manually.json | 2 +- ...098-fe4a9e0aeaa0_do_not_edit_manually.json | 2 +- ...in_rules_changelog_do_not_edit_manually.md | 5 +- .../built_in_rules_do_not_edit_manually.md | 14 ++- ...-a5e2-4597e366b8c4_do_not_edit_manually.md | 6 - ...-9cfd-43f7d9595777_do_not_edit_manually.md | 6 - ...-8e47-1574946412b6_do_not_edit_manually.md | 6 - ...-af3b-f73a622c9687_do_not_edit_manually.md | 6 - ...-94fa-28d6c1f2e2a8_do_not_edit_manually.md | 6 - ...-a109-c6d85b91bbcf_do_not_edit_manually.md | 6 - ...-b060-a9d9f2d270db_do_not_edit_manually.md | 6 - ...-8ae5-aa67d2f29fcb_do_not_edit_manually.md | 6 - ...-be56-0242ac120002_do_not_edit_manually.md | 6 - ...-85aa-2a6a900df99b_do_not_edit_manually.md | 114 ++++++++++++++++++ ...-943e-9848cadb1f99_do_not_edit_manually.md | 6 - ...-baf5-b69c7b679887_do_not_edit_manually.md | 6 - .../built_in_detection_rules_eventids.md | 2 +- 98 files changed, 215 insertions(+), 152 deletions(-) diff --git a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json index 2f64924a5e..8ee995b047 100644 --- a/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_00bbde4f-cb17-4c3f-9f5e-a585fc7c8fc0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Kubernetes Engine", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json index 37c81f013b..feac821bd6 100644 --- a/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_021e9def-5a55-4369-941e-af269b45bef1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Linux Binary Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic AuditBeat Linux", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Control Panel Items, Suspicious Windows Installer Execution, Mshta JavaScript Execution, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, PowerShell Execution Via Rundll32, Suspicious Control Process, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious VBS Execution Parameter, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Linux Binary Masquerading, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File and Directory Permissions Modification, ICacls Granting Access To All"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious VBS Execution Parameter, Suspicious Windows Script Execution"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1548.001", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Setuid Or Setgid Usage"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1222.002", "score": 100, "comment": "Rules: File and Directory Permissions Modification"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json index e8219ac169..6162b2ec94 100644 --- a/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_02a74ceb-a9b0-467c-97d1-588319e39d71_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Citrix NetScaler / ADC", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: FoggyWeb HTTP Default GET/POST Requests, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json index 11e531c43c..6acc3f9037 100644 --- a/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_033cd098-b21b-4c9b-85c4-c8174c307e48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, WithSecure Elements Critical Severity, PsExec Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, WithSecure Elements Critical Severity, PowerShell Download From URL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, WithSecure Elements Critical Severity, Explorer Process Executing HTA File, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WithSecure Elements", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Control Panel Items, Suspicious Windows Installer Execution, Mshta JavaScript Execution, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, PowerShell Execution Via Rundll32, Suspicious Control Process, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, WithSecure Elements Critical Severity, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, WithSecure Elements Critical Severity, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious VBS Execution Parameter, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, WithSecure Elements Critical Severity, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json index 8863f2f358..b9b39b0575 100644 --- a/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_05e6f36d-cee0-4f06-b575-9e43af779f9f_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Microsoft 365 Defender Cloud App Security Alert, Microsoft 365 Defender For Endpoint Alert, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Microsoft 365 Defender Alert, Wininit Wrong Parent, Windows Update LolBins, Microsoft Defender for Office 365 Alert, Winword wrong parent"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious Windows Script Execution, Socat Relaying Socket, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Microsoft 365 Defender For Endpoint Alert, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft 365 Defender Cloud App Security Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, Microsoft 365 Defender Alert, Socat Reverse Shell Detection, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Microsoft Defender for Office 365 Alert, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Download Files From Suspicious TLDs, Microsoft 365 Defender Alert, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft 365 Defender Cloud App Security Alert, Microsoft Office Product Spawning Windows Shell, Microsoft 365 Defender For Endpoint Alert, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Defender for Office 365 Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, SELinux Disabling, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, MalwareBytes Uninstallation, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, SELinux Disabling, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Winrshost Wrong Parent, Usage Of Sysinternals Tools, PsExec Process, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Wininit Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Winrshost Wrong Parent, New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Winrshost Wrong Parent, New Service Creation, Explorer Wrong Parent, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Wininit Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Reverse Shell Detection, Socat Relaying Socket, SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 Defender", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Nimbo-C2 User Agent, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Wininit Wrong Parent, PsExec Process, Microsoft 365 Defender Alert, SolarWinds Suspicious File Creation, Winword wrong parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Microsoft 365 Defender For Endpoint Alert, Microsoft 365 Defender Cloud App Security Alert, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Windows Update LolBins, Microsoft Defender for Office 365 Alert"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Socat Relaying Socket, Python Offensive Tools and Packages, Elise Backdoor, Interactive Terminal Spawned via Python, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft 365 Defender Cloud App Security Alert, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, Microsoft Defender for Office 365 Alert, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Microsoft 365 Defender Alert, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Socat Reverse Shell Detection, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Microsoft 365 Defender For Endpoint Alert, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 Defender Alert, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Microsoft 365 Defender For Endpoint Alert, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, Microsoft 365 Defender Cloud App Security Alert, Microsoft Defender for Office 365 Alert, IcedID Execution Using Excel"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, SELinux Disabling, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disabled Service, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, SELinux Disabling, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disabled Service, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Wininit Wrong Parent, PsExec Process, Winword wrong parent, Winrshost Wrong Parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Wininit Wrong Parent, Explorer Wrong Parent, Winword wrong parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Wininit Wrong Parent, Explorer Wrong Parent, Winword wrong parent, Winrshost Wrong Parent, SolarWinds Wrong Child Process, New Service Creation, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Ngrok Process Execution, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, NjRat Registry Changes, Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json index 95f7429c25..0372a655d6 100644 --- a/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware vCenter", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json index 3e02a56ff2..8ce38004be 100644 --- a/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_064f7e8b-ce5f-474d-802e-e88fe2193365_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Trend Micro Apex One Malware Alert, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Trend Micro Apex One Data Loss Prevention Alert, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Trend Micro Apex One Data Loss Prevention Alert, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Trend Micro Apex One Malware Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Apex One", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Control Panel Items, Suspicious Windows Installer Execution, Mshta JavaScript Execution, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, PowerShell Execution Via Rundll32, Suspicious Control Process, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Trend Micro Apex One Data Loss Prevention Alert, SolarWinds Suspicious File Creation, Usage Of Procdump With Common Arguments, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Trend Micro Apex One Data Loss Prevention Alert, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, MalwareBytes Uninstallation, Trend Micro Apex One Malware Alert, Suspicious VBS Execution Parameter, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs, Trend Micro Apex One Data Loss Prevention Alert, Trend Micro Apex One Malware Alert"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Trend Micro Apex One Intrusion Detection Alert"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json index 849f1b103b..971a776d7e 100644 --- a/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_07c556c0-0675-478c-9803-e7990afe78b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, SentinelOne EDR Threat Detected (Malicious), MalwareBytes Uninstallation, Suspicious PrinterPorts Creation (CVE-2020-1048), Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Threat Mitigation Report Quarantine Success, Default Encoding To UTF-8 PowerShell, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Quarantine Failed, WMIC Uninstall Product, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Kill Success, Microsoft Defender Antivirus Disabled Base64 Encoded, Exploiting SetupComplete.cmd CVE-2019-1378, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR Threat Detected (Suspicious), Lazarus Loaders, SentinelOne EDR Agent Disabled, SentinelOne EDR Custom Rule Alert, Phorpiex DriveMgr Command, Suspicious Microsoft Defender Antivirus Exclusion Command, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, Control Panel Items, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SolarWinds Wrong Child Process, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Agent Disabled, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR SSO User Added, MS Office Product Spawning Exe in User Dir, SentinelOne EDR User Failed To Log In To The Management Console, SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Quarantine Success, Download Files From Suspicious TLDs, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, PowerShell EncodedCommand, Suspicious Taskkill Command, SentinelOne EDR SSO User Added, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Custom Rule Alert, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, SentinelOne EDR Malicious Threat Not Mitigated, MalwareBytes Uninstallation, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, SentinelOne EDR User Logged In To The Management Console, SentinelOne EDR User Failed To Log In To The Management Console"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CMSTP UAC Bypass via COM Object Access, Suspicious Windows Installer Execution, MavInject Process Injection, SquirrelWaffle Malspam Execution Loading DLL, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, SentinelOne EDR Threat Detected (Suspicious), SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), Usage Of Procdump With Common Arguments, SolarWinds Wrong Child Process, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Trace Alteration, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Phorpiex Process Masquerading"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, RTLO Character, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Formbook Hijacked Process Command"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, MS Office Product Spawning Exe in User Dir"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: SentinelOne EDR Custom Rule Alert, SentinelOne EDR Threat Mitigation Report Kill Success, SentinelOne EDR Threat Mitigation Report Quarantine Success, Download Files From Suspicious TLDs, MS Office Product Spawning Exe in User Dir, SentinelOne EDR Threat Detected (Suspicious), SquirrelWaffle Malspam Execution Loading DLL, SentinelOne EDR Suspicious Threat Not Mitigated (Medium Confidence), SentinelOne EDR Malicious Threat Not Mitigated, SentinelOne EDR Threat Detected (Malicious), SentinelOne EDR Threat Mitigation Report Quarantine Failed, SentinelOne EDR Agent Disabled, SentinelOne EDR Threat Mitigation Report Remediate Success, SentinelOne EDR SSO User Added, SentinelOne EDR User Failed To Log In To The Management Console, SentinelOne EDR Malicious Threat Detected And Mitigated Preemptively, SentinelOne EDR User Logged In To The Management Console"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: SolarWinds Wrong Child Process"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json index 7ec412b3d9..9c1b594f8a 100644 --- a/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0ba58f32-7dba-4084-ab17-90c0be6b1f10_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare HTTP requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Cloudflare HTTP Requests Rule Block Or Drop"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json index 6c74866a8b..342cf5d3ac 100644 --- a/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_0de050fb-3f56-4c7a-a9b6-76bf5298a617_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Windows Update LolBins, Winword wrong parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Winword wrong parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR activity", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Winword wrong parent, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, New Service Creation, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Winword wrong parent, SolarWinds Wrong Child Process, New Service Creation, Suspicious Commands From MS SQL Server Shell"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json index af222ebda9..1ad549a457 100644 --- a/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_10999b99-9a8d-4b92-9fbd-01e3fac01cd5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Venom Multi-hop Proxy agent detection, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, Sticky Key Like Backdoor Usage, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, Autorun Keys Modification"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Crowdstrike Falcon Telemetry", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious Driver Loaded, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Usage Of Sysinternals Tools"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json index 12c08bddba..62e5e7826c 100644 --- a/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_162064f0-c594-455e-ac24-2d7129137688_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Linux [DEPRECATED]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json index 7c300da521..4371143ceb 100644 --- a/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_16676d72-463e-4b8a-b13a-f8dd48cddc8c_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare WAF events", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json index 75cb9f218d..2f0c0fd2b6 100644 --- a/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_19cd2ed6-f90c-47f7-a46b-974354a107bb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Anonymous IP, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Suspicious Browser"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft Entra ID / Azure AD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1583", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Anonymous IP"}, {"techniqueID": "T1584", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Leaked Credentials, Microsoft Entra ID (Azure AD) Suspicious Inbox Forwarding, Microsoft Entra ID (Azure AD) Impossible Travel, Microsoft Entra ID (Azure AD) Malicious IP, Microsoft Entra ID (Azure AD) Password Spray, Microsoft Entra ID (Azure AD) Unfamiliar Features, Microsoft Entra ID (Azure AD) Token Issuer Anomaly, Microsoft Entra ID (Azure AD) Suspicious IP, Microsoft Entra ID (Azure AD) Abnormal Token, Microsoft Entra ID (Azure AD) Sign-in From Unlikely Country, Microsoft Entra ID (Azure AD) Threat Intelligence, Microsoft Entra ID (Azure AD) Suspicious Browser, Microsoft Entra ID (Azure AD) Anonymous IP"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Self Service Password Reset In Failure"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Domain Trust Modification"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft Entra ID (Azure AD) Device Code Authentication"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json index 35e9bbe27a..0d77b743e7 100644 --- a/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CEF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json index 3a8941dad6..958a187e46 100644 --- a/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_20876735-c423-4bbc-9d19-67edc91fb063_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x RSA SecurID", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json index 5ba78e5203..fb851072d3 100644 --- a/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_22f2afd2-c858-443d-8e06-7b335e439c29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, CrowdStrike Falcon Intrusion Detection High Severity, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Medium Severity, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent, CrowdStrike Falcon Intrusion Detection Low Severity"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Taskkill Command, Koadic Execution, Trickbot Malware Activity, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Informational Severity, CrowdStrike Falcon Intrusion Detection, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, CrowdStrike Falcon Intrusion Detection Medium Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Critical Severity, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, CrowdStrike Falcon Intrusion Detection Low Severity"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection Medium Severity, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Critical Severity, CrowdStrike Falcon Intrusion Detection Low Severity, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection High Severity, Microsoft Office Spawning Script, CrowdStrike Falcon Intrusion Detection, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names, CrowdStrike Falcon Intrusion Detection Informational Severity"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x CrowdStrike Falcon", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection, SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, CrowdStrike Falcon Intrusion Detection High Severity, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Rare Lsass Child Found, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Wmiprvse Wrong Parent, CrowdStrike Falcon Intrusion Detection Low Severity, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, CrowdStrike Falcon Intrusion Detection Critical Severity, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection, Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, CrowdStrike Falcon Intrusion Detection High Severity, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, CrowdStrike Falcon Intrusion Detection Medium Severity, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, CrowdStrike Falcon Intrusion Detection Informational Severity, Sysprep On AppData Folder, MalwareBytes Uninstallation, CrowdStrike Falcon Intrusion Detection Low Severity, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, CrowdStrike Falcon Intrusion Detection Critical Severity"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: CrowdStrike Falcon Intrusion Detection, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, CrowdStrike Falcon Intrusion Detection High Severity, SquirrelWaffle Malspam Execution Loading DLL, CrowdStrike Falcon Intrusion Detection Medium Severity, CrowdStrike Falcon Intrusion Detection Informational Severity, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, CrowdStrike Falcon Intrusion Detection Low Severity, Microsoft Office Product Spawning Windows Shell, CrowdStrike Falcon Intrusion Detection Critical Severity, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json index 9faf5855c9..c82775cacb 100644 --- a/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_23b75d0c-2026-4d3e-b916-636c27ba4931_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Web Appliance", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json index a6c6a6c159..6d5ef01a8e 100644 --- a/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_250e4095-fa08-4101-bb02-e72f870fcbd1_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable Security Events Logging Adding Reg Key MiniNt, Disable Windows Defender Credential Guard, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, Suspect Svchost Memory Access, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Exclusion Configuration, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Python Opening Ports, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Raccine Uninstall, Netsh Port Opening, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Malware Protection Engine Crash, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Exclusion Configuration, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Raccine Uninstall, Netsh Port Opening, Windows Defender Deactivation Using PowerShell Script, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Suspicious HWP Child Process, Suspicious New Printer Ports In Registry, Antivirus Relevant File Paths Alerts, Audit CVE Event, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, Dynwrapx Module Loading, PowerShell Execution Via Rundll32, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Suspicious DNS Child Process, Suspicious PsExec Execution, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Python Opening Ports, Netsh Allowed Python Program"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Unsigned Image Loaded Into LSASS Process, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Credential Dumping Tools Service Execution, LSASS Memory Dump, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names, Malicious Service Installations, Copying Sensitive Files With Credential Data, NetNTLM Downgrade Attack, Cred Dump Tools Dropped Files, SAM Registry Hive Handle Request, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, Suspicious SAM Dump, NTDS.dit File In Suspicious Directory, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, LSASS Access From Non System Account, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne, DCSync Attack, Load Of dbghelp/dbgcore DLL From Suspicious Process, Rubeus Tool Command-line, DPAPI Domain Backup Key Extraction, RedMimicry Winnti Playbook Dropped File, Impacket Secretsdump.py Tool, Active Directory Replication from Non Machine Account, LSASS Memory Dump File Creation, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, Credential Dumping Tools Service Execution, Mimikatz Basic Commands, Lsass Access Through WinRM, Transfering Files With Credential Data Via Network Shares"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access, Denied Access To Remote Desktop, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Lsass Access Through WinRM, MMC20 Lateral Movement, RDP Login From Localhost"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, Microsoft Office Creating Suspicious File, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Mustang Panda Dropper, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, In-memory PowerShell, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Outlook Child Process, WMI DLL Loaded Via Office, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Malicious PowerShell Keywords, PowerShell Downgrade Attack, PowerShell Credential Prompt, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Malspam Execution Registering Malicious DLL, Mshta Suspicious Child Process, Suspicious DLL Loaded Via Office Applications, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Venom Multi-hop Proxy agent detection, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious Scripting In A WMI Consumer, Lazarus Loaders, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, WMImplant Hack Tool, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, FromBase64String Command Line, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Suspicious Taskkill Command, In-memory PowerShell, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell Downgrade Attack, PowerShell Credential Prompt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Suspicious XOR Encoded PowerShell Command Line, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked, HarfangLab EDR High Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked, HarfangLab EDR High Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Cobalt Strike Named Pipes, Malicious Named Pipe, Spoolsv Wrong Parent, MavInject Process Injection, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Process Hollowing Detection, Smss Wrong Parent, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Process Herpaderping, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Impacket Secretsdump.py Tool, Copying Browser Files With Credentials, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, SAM Registry Hive Handle Request, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, TUN/TAP Driver Installation, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Wmic Process Call Creation, WMI DLL Loaded Via Office, WMI Install Of Binary"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, Suspicious DLL Loaded Via Office Applications, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, WMI DLL Loaded Via Office"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, APT29 Fake Google Update Service Install, StoneDrill Service Install, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, APT29 Fake Google Update Service Install, StoneDrill Service Install, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Suspicious DNS Child Process, Suspicious PsExec Execution, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Event Subscription, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, Suspicious Scripting In A WMI Consumer, New DLL Added To AppCertDlls Registry Key, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Secure Deletion With SDelete, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, Failed Logon Source From Public IP Addresses, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, GitLab CVE-2021-22205"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Formbook Hijacked Process Command, RTLO Character, Execution From Suspicious Folder, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Cisco Umbrella Threat Detected, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Windows Registry Persistence COM Search Order Hijacking, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SSH X11 Forwarding, Netsh Port Forwarding, SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, Active Directory User Backdoors, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Privileged AD Builtin Group Modified, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Blue Mockingbird Malware, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Chafer (APT 39) Activity, Remote Registry Management Using Reg Utility, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io Endpoint Agent", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, TrustedInstaller Impersonation, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Ryuk Ransomware Command Line, Disable .NET ETW Through COMPlus_ETWEnabled, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Windows Defender Credential Guard, Python Opening Ports, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Suspect Svchost Memory Access, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, TrustedInstaller Impersonation, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Ryuk Ransomware Command Line, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Opening, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Password Dumper Detection"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, Dynwrapx Module Loading, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Microsoft Defender Antivirus Threat Detected, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Malicious Service Installations, Metasploit PSExec Service Creation, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Suspicious PsExec Execution, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Python Opening Ports, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, LSASS Memory Dump, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Credential Dumping Tools Service Execution, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cred Dump Tools Dropped Files, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, Active Directory Database Dump Via Ntdsutil, HackTools Suspicious Process Names, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, LSASS Memory Dump, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Transfering Files With Credential Data Via Network Shares, Process Memory Dump Using Comsvcs, Unsigned Image Loaded Into LSASS Process, Rubeus Tool Command-line, NetNTLM Downgrade Attack, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Cmdkey Cached Credentials Recon, LSASS Memory Dump File Creation, DPAPI Domain Backup Key Extraction, HackTools Suspicious Process Names In Command Line, Malicious Service Installations, Active Directory Replication from Non Machine Account, Copying Sensitive Files With Credential Data, Credential Dumping By LaZagne, Mimikatz Basic Commands, Suspicious SAM Dump, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, Credential Dumping-Tools Common Named Pipes, NTDS.dit File Interaction Through Command Line, DCSync Attack, Wdigest Enable UseLogonCredential, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, MMC Spawning Windows Shell, Protected Storage Service Access, Lsass Access Through WinRM, RDP Port Change Using Powershell, MMC20 Lateral Movement, Admin Share Access, Denied Access To Remote Desktop, Lateral Movement - Remote Named Pipe, RDP Login From Localhost, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Mustang Panda Dropper, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious DLL Loaded Via Office Applications, In-memory PowerShell, Mustang Panda Dropper, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Threat Detected, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Malicious PowerShell Keywords, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, WMImplant Hack Tool, PowerShell Invoke Expression With Registry, Turla Named Pipes, Powershell Web Request, Suspicious VBS Execution Parameter, FromBase64String Command Line, Invoke-TheHash Commandlets, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Detection of default Mimikatz banner, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, In-memory PowerShell, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, PowerShell Credential Prompt, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Invoke Expression With Registry, Turla Named Pipes, Powershell Web Request, FromBase64String Command Line, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, DNS Exfiltration and Tunneling Tools Execution, Detection of default Mimikatz banner"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Suspicious Outlook Child Process, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Malicious Named Pipe, Taskhostw Wrong Parent, Process Herpaderping, Explorer Wrong Parent, Searchprotocolhost Wrong Parent, Cobalt Strike Named Pipes, Searchindexer Wrong Parent, MavInject Process Injection, Dynwrapx Module Loading, CreateRemoteThread Common Process Injection, Smss Wrong Parent, Process Hollowing Detection, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, TUN/TAP Driver Installation, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Powershell Winlogon Helper DLL, NjRat Registry Changes, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMImplant Hack Tool, WMI DLL Loaded Via Office, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, OneNote Suspicious Children Process, Logonui Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Malicious Service Installations, Wmiprvse Wrong Parent, Lsass Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, OneNote Suspicious Children Process, Logonui Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Malicious Service Installations, Wmiprvse Wrong Parent, Lsass Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Malicious Service Installations, Metasploit PSExec Service Creation, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Suspicious PsExec Execution, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Event Subscription, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Network Connection Via Certutil, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Eventlog Cleared"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, New Or Renamed User Account With '$' In Attribute 'SamAccountName', AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262, Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus Domain Controller Discovery, AdFind Usage, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process, Suspicious Outlook Child Process, Cisco Umbrella Threat Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, Windows Registry Persistence COM Search Order Hijacking, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SSH X11 Forwarding, Exfiltration And Tunneling Tools Execution, SSH Tunnel Traffic, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, User Added to Local Administrators, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Active Directory Replication User Backdoor, Active Directory User Backdoors"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, PowerView commandlets 2, Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Abusing Azure Browser SSO"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Remote Registry Management Using Reg Utility, Chafer (APT 39) Activity, OceanLotus Registry Activity, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, RDP Sensitive Settings Changed, Disable Security Events Logging Adding Reg Key MiniNt, Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, Suspicious Headless Web Browser Execution To Download File, System Info Discovery"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, User Added to Local Administrators, Account Added To A Security Enabled Group"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json index ae7977f3ab..93645c50d3 100644 --- a/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_270777d7-0c5a-42fb-b901-b7fadfb0ba48_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiProxy", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Email Attachment Received, SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2019-11510 Pulse Secure Exploit, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-43798 Grafana Directory Traversal, CVE-2020-5902 F5 BIG-IP Exploitation Attempts"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Email Attachment Received"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json index 5e6503dd06..cde572d34c 100644 --- a/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2815eaab-2425-4eff-8038-3f7d5a3b8b11_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Trickbot Malware Activity, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Audit CVE Event, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Suspicious Windows DNS Queries, Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Microsoft Defender Antivirus Threat Detected, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Microsoft Defender Antivirus Threat Detected, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Audit CVE Event"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json index 10358ac934..4228de2ffb 100644 --- a/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2b13307b-7439-4973-900a-2b58303cac90_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Python HTTP Server, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x VMware ESXi [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, WCE wceaux.dll Creation, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json index e3888b401b..767ae77227 100644 --- a/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco ESA [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco ESA [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json index d1fb0e31cb..b16a68766d 100644 --- a/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_325369ba-8515-45b4-b750-5db882ea1266_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json index d79a0fe8a4..e9065df2db 100644 --- a/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3c7057d3-4689-4fae-8033-6f1f887a70f2_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Nimbo-C2 User Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Trickbot Malware Activity, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Hlai Engine Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Low Level Rule Detection, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, HarfangLab EDR Process Execution Blocked, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked, HarfangLab EDR High Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, HackTools Suspicious Process Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x HarfangLab EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Nimbo-C2 User Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Microsoft Defender Antivirus Threat Detected, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Microsoft Defender Antivirus Threat Detected, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: HarfangLab EDR Hlai Engine Detection, Microsoft Office Creating Suspicious File, HarfangLab EDR Low Level Rule Detection, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked, SquirrelWaffle Malspam Execution Loading DLL, HarfangLab EDR Critical Level Rule Detection, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, HarfangLab EDR High Level Rule Detection, Microsoft Office Product Spawning Windows Shell, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Spawning Script, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Suspicious Outlook Child Process, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, HarfangLab EDR Process Execution Blocked, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json index 1ddb79b209..067d05e745 100644 --- a/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3e060900-4004-4754-a597-d2944a601930_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert, AWS GuardDuty Medium Severity Alert"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS GuardDuty", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS GuardDuty Medium Severity Alert, AWS GuardDuty High Severity Alert, AWS GuardDuty Low Severity Alert"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json index 42754c0576..2351b5d80e 100644 --- a/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_3f330d19-fdea-48ac-96bd-91a447bb26bd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Clean, Sophos EDR Application Blocked, Download Files From Suspicious TLDs, Sophos EDR Application Detected, Sophos EDR CorePUA Detection"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Sophos EDR CorePUA Clean, Download Files From Suspicious TLDs, Sophos EDR CorePUA Detection, Sophos EDR Application Blocked, Sophos EDR Application Detected"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json index c2c7f33a55..df799635c9 100644 --- a/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Skyhigh Secure Web Gateway / McAfee Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json index 380e0e32b5..965eaea2fe 100644 --- a/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_40deb162-6bb1-4635-9c99-5c2de7e1d340_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Trickbot Malware Activity, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Autorun Keys Modification"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 2.0 [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, Suspicious DNS Child Process, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json index 4198f5291f..5efae4978b 100644 --- a/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Interactive Terminal Spawned via Python, AutoIt3 Execution From Suspicious Folder, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Terminate, Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Quarantined"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Broadcom/Symantec Endpoint Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Interactive Terminal Spawned via Python, Bloodhound and Sharphound Tools Usage, AutoIt3 Execution From Suspicious Folder, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Venom Multi-hop Proxy agent detection, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: SELinux Disabling, Disabled Service"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Disabled Service"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Broadcom/Symantec Endpoint Security Event Quarantined, Broadcom/Symantec Endpoint Security Event Blocked, Broadcom/Symantec Endpoint Security Event Cleaned, Broadcom/Symantec Endpoint Security Event Terminate"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json index d52e817497..7b92685061 100644 --- a/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_41e3ca4e-a714-41aa-ad69-684a0b3835fc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sekoia.io activity logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json index 3c25376dce..9268cfccca 100644 --- a/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_44439212-c2d8-4645-ad60-8fd5e39140b3_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Google Cloud Audit Logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json index 53301c7e64..10c6067e24 100644 --- a/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default GET beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Secure Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, LokiBot Default C2 URL, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Exfiltration And Tunneling Tools Execution, Suspicious Windows DNS Queries, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json index 370f69cd36..cc28be5f80 100644 --- a/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_469bd3ae-61c9-4c39-9703-7452882e70da_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cato Networks SASE", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json index 689a4bb831..99c7b0cbd6 100644 --- a/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46ca6fc8-3d30-434c-92ff-0e1cde564161_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Spam But Allowed, Download Files From Suspicious TLDs"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint TAP", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Proofpoint TAP Email Classified As Phishing But Allowed, Proofpoint TAP Email Classified As Malware But Allowed, Proofpoint TAP Email Classified As Spam But Allowed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json index 393842b6e0..b0997ba18e 100644 --- a/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46e45417-187b-45bb-bf81-30df7b1963a0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json index bda8fa1393..d671a62d3c 100644 --- a/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_46fe3905-9e38-4fb2-be09-44d31626b694_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (MultiScan), SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Retarus Email Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Retarus Email Security Threat Detected (CxO Or Patient Zero Detection), Download Files From Non-Legitimate TLDs, Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan)"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (Sandboxing), Retarus Email Security Threat Detected (MultiScan), Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Retarus Email Security Threat Detected (CxO Or Patient Zero Detection)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json index 58936f627d..a890a2ea1f 100644 --- a/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_547234b3-82ea-4507-b28f-3ee3cd5b9a8e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Duo Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json index 6ade45851a..c86d0fae0a 100644 --- a/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_5702ae4e-7d8a-455f-a47b-ef64dd87c981_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Fortinet FortiGate", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1110", "score": 100, "comment": "Rules: Fortinet FortiGate Firewall Login In Failure"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json index ea77bcd07a..54229e9081 100644 --- a/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_588a448b-c08d-4139-a746-b2b9f366e34b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Access Requests", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json index 5e885d4fea..de979ee215 100644 --- a/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_591feb54-1d1f-4453-b780-b225c59e9f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious Windows Script Execution, Socat Relaying Socket, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, Socat Reverse Shell Detection, PowerShell Download From URL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, SELinux Disabling, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, SELinux Disabling, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Reverse Shell Detection, Socat Relaying Socket, SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco NX-OS", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Control Panel Items, Suspicious Windows Installer Execution, Mshta JavaScript Execution, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, PowerShell Execution Via Rundll32, Suspicious Control Process, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Socat Relaying Socket, Python Offensive Tools and Packages, Elise Backdoor, Interactive Terminal Spawned via Python, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious VBS Execution Parameter, Powershell Web Request, Socat Reverse Shell Detection, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, SELinux Disabling, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, SELinux Disabling, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disabled Service, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Ngrok Process Execution, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json index c39e19e8e6..252eef5bb5 100644 --- a/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_59991ced-c2a0-4fb0-91f3-49e3993c16f5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Exploiting SetupComplete.cmd CVE-2019-1378, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Package Manager Alteration, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Tanium", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json index 338398c78d..e50de935f3 100644 --- a/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_622999fe-d383-4d41-9f2d-eed5013fe463_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Secure Mobile Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json index fd67aeb44f..e090794f4c 100644 --- a/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_69b52166-b804-4f47-860f-2d3fd0b46987_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Azure Front Door", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json index aecbfade41..08cb74df0c 100644 --- a/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6b8cb346-6605-4240-ac15-3828627ba899_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Phorpiex DriveMgr Command, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, WMIC Uninstall Product, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Lazarus Loaders, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Phorpiex DriveMgr Command, MalwareBytes Uninstallation, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Microsoft Defender Antivirus Restoration Abuse, Netsh Port Forwarding, Raccine Uninstall, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Using Registry, Suspicious Microsoft Defender Antivirus Exclusion Command, Address Space Layout Randomization (ASLR) Alteration, Debugging Software Deactivation, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, MalwareBytes Uninstallation, Microsoft Defender Antivirus Signatures Removed With MpCmdRun"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Disabled IE Security Features, Raccine Uninstall, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Change Default File Association, New DLL Added To AppCertDlls Registry Key, Suspicious Netsh DLL Persistence, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, ETW Tampering, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, CertOC Loading Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, Suspicious DLL Loading By Ordinal, MavInject Process Injection"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, HackTools Suspicious Process Names In Command Line, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Outlook Registry Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WALLIX Bastion", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Lazarus Loaders, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, WMIC Uninstall Product, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, MalwareBytes Uninstallation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious PrinterPorts Creation (CVE-2020-1048), PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: WMIC Uninstall Product, Raccine Uninstall, Disabled IE Security Features, Disable Task Manager Through Registry Key, Debugging Software Deactivation, Microsoft Defender Antivirus Disable Using Registry, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Address Space Layout Randomization (ASLR) Alteration, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, MalwareBytes Uninstallation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, New DLL Added To AppCertDlls Registry Key, Change Default File Association, Control Panel Items"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: High Privileges Network Share Removal, Clear EventLogs Through CommandLine, ETW Tampering, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Windows Installer Execution, MavInject Process Injection, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, Suspicious Taskkill Command"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, HackTools Suspicious Process Names In Command Line, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: XCopy Suspicious Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Outlook Registry Access, XCopy Suspicious Usage"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, BazarLoader Persistence Using Schtasks, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: Listing Systemd Environment"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json index d0a7766ec8..4a45181718 100644 --- a/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_6dbdd199-77ae-4705-a5de-5c2722fa020e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Ubika WAAP Gateway [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json index 37891ab9a0..865cfbb96f 100644 --- a/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_7b1317ec-3f87-4b53-9b6d-3f79045f28fa_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway DNS [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json index 4b2f60687e..4a9079679b 100644 --- a/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_80de6ccb-7246-40de-bcbb-bc830118c1f9_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Delete Action, GitHub Outside Collaborator Detected, GitHub New Organization Member, GitHub Dependabot Or Vulnerability Alerts Disabled, GitHub High Risk Configuration Disabled"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Github Audit logs [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: GitHub Outside Collaborator Detected, GitHub Delete Action, GitHub New Organization Member, GitHub High Risk Configuration Disabled, GitHub Dependabot Or Vulnerability Alerts Disabled"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json index 55f14fdecc..37a7aeb87f 100644 --- a/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_864ade96-a96d-4a0e-ab3d-b7cb7b7db618_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Infoblox DDI", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json index c242a857f4..15f51f7348 100644 --- a/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_890207d2-4878-440d-9079-3dd25d472e0a_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation, NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x ADAudit Plus [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json index e70173ca31..a92cec3891 100644 --- a/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8c1bee36-d516-42f9-9b6f-a8e4dcac3d1d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Trickbot Malware Activity, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SentinelOne Cloud Funnel 1.0 [Deprecated]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, Suspicious DNS Child Process, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: NjRat Registry Changes, Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json index a895bb3d29..42996bcca7 100644 --- a/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_8d8f040d-6a75-4bf4-bf1d-772e9a30f0dd_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, TEHTRIS EDR Alert, PsExec Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, TEHTRIS EDR Alert, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Explorer Process Executing HTA File, TEHTRIS EDR Alert, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Phorpiex Process Masquerading, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x TEHTRIS EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Control Panel Items, Suspicious Windows Installer Execution, Mshta JavaScript Execution, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, PowerShell Execution Via Rundll32, Suspicious Control Process, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, TEHTRIS EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, TEHTRIS EDR Alert, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious VBS Execution Parameter, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: TEHTRIS EDR Alert, Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, RTLO Character"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Suspicious desktop.ini Action, Kernel Module Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Phorpiex Process Masquerading"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json index e7a20c7fc4..24b3b32452 100644 --- a/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9281438c-f7c3-4001-9bcc-45fd108ba1be_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Python HTTP Server, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, DNS Tunnel Technique From MuddyWater, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Chafer (APT 39) Activity, Koadic MSHTML Command, Nimbo-C2 User Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Suspicious PROCEXP152.sys File Created In Tmp, Windows Firewall Changes, Microsoft Malware Protection Engine Crash, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable Security Events Logging Adding Reg Key MiniNt, Disable Windows Defender Credential Guard, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, Suspect Svchost Memory Access, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Exclusion Configuration, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Python Opening Ports, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Suspicious PROCEXP152.sys File Created In Tmp, Microsoft Malware Protection Engine Crash, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable Windows Defender Credential Guard, NetNTLM Downgrade Attack, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Exclusion Configuration, Ryuk Ransomware Command Line, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Microsoft Defender Antivirus Configuration Changed, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Windows Defender Deactivation Using PowerShell Script, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Exploit For CVE-2015-1641, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection, Download Files From Suspicious TLDs, Suspicious HWP Child Process, Suspicious New Printer Ports In Registry, Download Files From Non-Legitimate TLDs, Antivirus Relevant File Paths Alerts, Audit CVE Event, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Desktopimgdownldr Execution, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, Dynwrapx Module Loading, PowerShell Execution Via Rundll32, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Suspicious DNS Child Process, Suspicious PsExec Execution, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Powershell AMSI Bypass, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Python Opening Ports, Netsh Allowed Python Program"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, LSASS Access From Non System Account, LSASS Memory Dump File Creation, Unsigned Image Loaded Into LSASS Process, Cred Dump Tools Dropped Files, Lsass Access Through WinRM, Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Credential Dumping Tools Service Execution, LSASS Memory Dump, Credential Dumping By LaZagne, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Createdump, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Unsigned Image Loaded Into LSASS Process, LSASS Memory Dump, Process Memory Dump Using Rdrleakdiag, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names, Malicious Service Installations, Copying Sensitive Files With Credential Data, NetNTLM Downgrade Attack, Process Trace Alteration, Cred Dump Tools Dropped Files, SAM Registry Hive Handle Request, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, Suspicious SAM Dump, NTDS.dit File In Suspicious Directory, Password Dumper Activity On LSASS, Windows Credential Editor Registry Key, LSASS Access From Non System Account, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Wdigest Enable UseLogonCredential, Mimikatz LSASS Memory Access, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne, DCSync Attack, Load Of dbghelp/dbgcore DLL From Suspicious Process, Rubeus Tool Command-line, DPAPI Domain Backup Key Extraction, RedMimicry Winnti Playbook Dropped File, Impacket Secretsdump.py Tool, Active Directory Replication from Non Machine Account, LSASS Memory Dump File Creation, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil, Credential Dumping Tools Service Execution, Mimikatz Basic Commands, Lsass Access Through WinRM, Transfering Files With Credential Data Via Network Shares"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access, Denied Access To Remote Desktop, MMC Spawning Windows Shell, RDP Port Change Using Powershell, Lsass Access Through WinRM, MMC20 Lateral Movement, RDP Login From Localhost"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Mustang Panda Dropper, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Malspam Execution Registering Malicious DLL, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, Microsoft Office Creating Suspicious File, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Mustang Panda Dropper, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, In-memory PowerShell, Trickbot Malware Activity, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Powershell Web Request, Suspicious Outlook Child Process, WMI DLL Loaded Via Office, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Malicious PowerShell Keywords, PowerShell Downgrade Attack, PowerShell Credential Prompt, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Malspam Execution Registering Malicious DLL, Mshta Suspicious Child Process, Suspicious DLL Loaded Via Office Applications, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Venom Multi-hop Proxy agent detection, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious Scripting In A WMI Consumer, Lazarus Loaders, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, WMImplant Hack Tool, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Remote Registry Management Using Reg Utility, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Alternate PowerShell Hosts Pipe, FromBase64String Command Line, Turla Named Pipes, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Suspicious Taskkill Command, In-memory PowerShell, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell Downgrade Attack, PowerShell Credential Prompt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Detection of default Mimikatz banner, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Suspicious XOR Encoded PowerShell Command Line, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, Domain Trust Created Or Removed, Privileged AD Builtin Group Modified, GPO Executable Delivery"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Suspicious Outbound Kerberos Connection, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process, Possible Replay Attack"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Download Files From Non-Legitimate TLDs, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked, HarfangLab EDR High Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell, Download Files From Non-Legitimate TLDs, IcedID Execution Using Excel, HarfangLab EDR Suspicious Process Behavior Has Been Detected, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, HarfangLab EDR Critical Level Rule Detection, Suspicious DLL Loaded Via Office Applications, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, HarfangLab EDR Process Execution Blocked, HarfangLab EDR High Level Rule Detection, Cobalt Strike Default Beacons Names, HarfangLab EDR Medium Level Rule Detection"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection, Antivirus Exploitation Framework Detection"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan, Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Process Herpaderping, Taskhostw Wrong Parent, Explorer Wrong Parent, MavInject Process Injection, Malicious Named Pipe, Spoolsv Wrong Parent, CreateRemoteThread Common Process Injection, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Cobalt Strike Named Pipes, Process Hollowing Detection, Dynwrapx Module Loading, Svchost Wrong Parent"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, RedMimicry Winnti Playbook Dropped File, Impacket Secretsdump.py Tool, Copying Browser Files With Credentials, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, SAM Registry Hive Handle Request, Suspicious SAM Dump, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, NTDS.dit File Interaction Through Command Line, Active Directory Database Dump Via Ntdsutil"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution, TUN/TAP Driver Installation, Powershell UploadString Function, Potential DNS Tunnel"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Narrator Feedback-Hub Persistence, Suspicious desktop.ini Action, Autorun Keys Modification, Ryuk Ransomware Persistence Registry Key, DLL Load via LSASS Registry Key, Malware Persistence Registry Key, Registry Key Used By Some Old Agent Tesla Samples"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: AD Object WriteDAC Access, File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Wmic Process Call Creation, WMI DLL Loaded Via Office, WMI Install Of Binary"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Malspam Execution Registering Malicious DLL, Suspicious Windows Script Execution, Suspicious DLL Loaded Via Office Applications, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter, WMI DLL Loaded Via Office"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, APT29 Fake Google Update Service Install, StoneDrill Service Install, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Chafer (APT 39) Activity, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Explorer Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Cobalt Strike Default Service Creation Usage, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, APT29 Fake Google Update Service Install, StoneDrill Service Install, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, WMI Persistence Command Line Event Consumer, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Gpscript Suspicious Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Malicious Service Installations, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Smbexec.py Service Installation, Searchprotocolhost Child Found, Metasploit PSExec Service Creation, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Credential Dumping Tools Service Execution, Suspicious DNS Child Process, Suspicious PsExec Execution, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Event Subscription, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association, Suspicious Scripting In A WMI Consumer, New DLL Added To AppCertDlls Registry Key, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Network Connection Via Certutil, Suspicious Finger Usage, Suspicious Desktopimgdownldr Execution, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Secure Deletion With SDelete, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, Eventlog Cleared, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, GitLab CVE-2021-22205, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Creation or Modification of a GPO Scheduled Task, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Remote Task Creation Via ATSVC Named Pipe, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: Creation or Modification of a GPO Scheduled Task, GPO Executable Delivery"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Legitimate Process Execution From Unusual Folder, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, New Or Renamed User Account With '$' In Attribute 'SamAccountName', Formbook Hijacked Process Command, RTLO Character, Execution From Suspicious Folder, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Audit CVE Event, Microsoft Malware Protection Engine Crash"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Trickbot Malware Activity, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Protected Storage Service Access, Lateral Movement - Remote Named Pipe, Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Cobalt Strike Default Service Creation Usage, Admin Share Access"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell EncodedCommand, Suspicious XOR Encoded PowerShell Command Line, Secure Deletion With SDelete, OneNote Embedded File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, TrevorC2 HTTP Communication, Covenant Default HTTP Beaconing, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Antivirus Web Shell Detection, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Antivirus Web Shell Detection, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line, Active Directory Shadow Credentials"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Suspicious DLL side loading from ProgramData"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, Windows Registry Persistence COM Search Order Hijacking, DNS Server Error Failed Loading The ServerLevelPluginDLL, Dynamic Linker Hijacking From Environment Variable, Svchost DLL Search Order Hijack, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Suspicious DLL side loading from ProgramData, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool, Suspicious LDAP-Attributes Used"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, Active Directory User Backdoors, User Added to Local Administrators, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Mimikatz Basic Commands, Privileged AD Builtin Group Modified, Add User to Privileged Group, Active Directory Replication User Backdoor, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, AD User Enumeration, AD Privileged Users Or Groups Reconnaissance, Remote Privileged Group Enumeration, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, AD User Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 1, SCM Database Privileged Operation, SCM Database Handle Failure, PowerView commandlets 2"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Potential RDP Connection To Non-Domain Host, Successful Overpass The Hash Attempt, Abusing Azure Browser SSO, Rubeus Tool Command-line"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, DHCP Callout DLL Installation, DNS ServerLevelPluginDll Installation, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, NetNTLM Downgrade Attack, Blue Mockingbird Malware, RDP Sensitive Settings Changed, RedMimicry Winnti Playbook Registry Manipulation, Wdigest Enable UseLogonCredential, RDP Port Change Using Powershell, Suspicious Desktopimgdownldr Execution, Suspicious New Printer Ports In Registry, Chafer (APT 39) Activity, Remote Registry Management Using Reg Utility, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, Suspicious Scripting In A WMI Consumer, WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Svchost DLL Search Order Hijack, Windows Registry Persistence COM Search Order Hijacking"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Possible RottenPotato Attack, Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command, SysKey Registry Keys Access, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: Dynwrapx Module Loading, MavInject Process Injection, CreateRemoteThread Common Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Denied Access To Remote Desktop, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses, Account Added To A Security Enabled Group, User Added to Local Administrators, Account Tampering - Suspicious Failed Logon Reasons, Admin User RDP Remote Logon"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: DPAPI Domain Backup Key Extraction, Grabbing Sensitive Hives Via Reg Utility, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cred Dump Tools Dropped Files, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Audit CVE Event, Abusing Azure Browser SSO"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Secure Deletion With SDelete, Backup Catalog Deleted"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Suspect Svchost Memory Access, Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, Suspicious Network Args In Command Line"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Port Change Using Powershell, RDP Login From Localhost, Denied Access To Remote Desktop"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: DCSync Attack, Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Dynwrapx Module Loading, IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Audit CVE Event, Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In, IcedID Execution Using Excel, Office Application Startup Office Test"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Suspicious Hostname, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Blue Mockingbird Malware"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Discord Suspicious Download, Telegram Bot API Request"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Windows", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Suspicious LDAP-Attributes Used, DNS Exfiltration and Tunneling Tools Execution, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Potential Bazar Loader User-Agents, Suspicious Windows DNS Queries, Covenant Default HTTP Beaconing, Koadic MSHTML Command, Potential Lemon Duck User-Agent, Python HTTP Server, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, TrustedInstaller Impersonation, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Disable Security Events Logging Adding Reg Key MiniNt, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Ryuk Ransomware Command Line, Disable .NET ETW Through COMPlus_ETWEnabled, Address Space Layout Randomization (ASLR) Alteration, Powershell AMSI Bypass, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Windows Defender Credential Guard, Python Opening Ports, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Suspect Svchost Memory Access, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, TrustedInstaller Impersonation, Microsoft Malware Protection Engine Crash, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Ryuk Ransomware Command Line, Address Space Layout Randomization (ASLR) Alteration, NetNTLM Downgrade Attack, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Disable Windows Defender Credential Guard, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Configuration Changed, Microsoft Defender Antivirus Disable Using Registry, Suspicious PROCEXP152.sys File Created In Tmp, Netsh RDP Port Opening, MalwareBytes Uninstallation, Microsoft Defender Antivirus Exclusion Configuration, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Audit CVE Event, Antivirus Password Dumper Detection"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Desktopimgdownldr Execution, AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, Dynwrapx Module Loading, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Microsoft Defender Antivirus Threat Detected, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Malicious Service Installations, Metasploit PSExec Service Creation, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Suspicious PsExec Execution, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Python Opening Ports, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1129", "score": 100, "comment": "Rules: FoggyWeb Backdoor DLL Loading"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, LSASS Memory Dump, Lsass Access Through WinRM, LSASS Memory Dump File Creation, Credential Dumping Tools Service Execution, Unsigned Image Loaded Into LSASS Process, Credential Dumping-Tools Common Named Pipes, Load Of dbghelp/dbgcore DLL From Suspicious Process, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Cred Dump Tools Dropped Files, Dumpert LSASS Process Dumper, Credential Dumping By LaZagne"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, Active Directory Database Dump Via Ntdsutil, HackTools Suspicious Process Names, Password Dumper Activity On LSASS, Mimikatz LSASS Memory Access, LSASS Access From Non System Account, LSASS Memory Dump, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, Process Memory Dump Using Rdrleakdiag, Load Of dbghelp/dbgcore DLL From Suspicious Process, Windows Credential Editor Registry Key, Transfering Files With Credential Data Via Network Shares, Process Memory Dump Using Comsvcs, Unsigned Image Loaded Into LSASS Process, Rubeus Tool Command-line, NetNTLM Downgrade Attack, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Process Trace Alteration, Lsass Access Through WinRM, Cmdkey Cached Credentials Recon, LSASS Memory Dump File Creation, DPAPI Domain Backup Key Extraction, HackTools Suspicious Process Names In Command Line, Malicious Service Installations, Active Directory Replication from Non Machine Account, Copying Sensitive Files With Credential Data, Credential Dumping By LaZagne, Mimikatz Basic Commands, Suspicious SAM Dump, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, WCE wceaux.dll Creation, Credential Dumping-Tools Common Named Pipes, NTDS.dit File Interaction Through Command Line, DCSync Attack, Wdigest Enable UseLogonCredential, Dumpert LSASS Process Dumper"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, MMC Spawning Windows Shell, Protected Storage Service Access, Lsass Access Through WinRM, RDP Port Change Using Powershell, MMC20 Lateral Movement, Admin Share Access, Denied Access To Remote Desktop, Lateral Movement - Remote Named Pipe, RDP Login From Localhost, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, Malspam Execution Registering Malicious DLL, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Mustang Panda Dropper, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, WMI DLL Loaded Via Office, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious DLL Loaded Via Office Applications, In-memory PowerShell, Mustang Panda Dropper, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Threat Detected, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Malicious PowerShell Keywords, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, WMImplant Hack Tool, PowerShell Invoke Expression With Registry, Turla Named Pipes, Powershell Web Request, Suspicious VBS Execution Parameter, FromBase64String Command Line, Invoke-TheHash Commandlets, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution, Detection of default Mimikatz banner, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage, Container Credential Access, XCopy Suspicious Usage, Opening Of a Password File, Remote Registry Management Using Reg Utility, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, In-memory PowerShell, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, PowerShell Credential Prompt, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, Alternate PowerShell Hosts Pipe, PowerShell Malicious PowerShell Commandlets, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Invoke Expression With Registry, Turla Named Pipes, Powershell Web Request, FromBase64String Command Line, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, DNS Exfiltration and Tunneling Tools Execution, Detection of default Mimikatz banner"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed, GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task, Privileged AD Builtin Group Modified"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Suspicious Outbound Kerberos Connection, Rubeus Tool Command-line, User Couldn't Call A Privileged Service LsaRegisterLogonProcess, Rubeus Register New Logon Process"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR Process Execution Blocked, Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Winword Document Droppers, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, HarfangLab EDR Suspicious Process Behavior Has Been Detected, IcedID Execution Using Excel, Cobalt Strike Default Beacons Names, Microsoft Defender Antivirus Threat Detected, Exploit For CVE-2015-1641, HarfangLab EDR High Level Rule Detection, HarfangLab EDR Hlai Engine Detection, HarfangLab EDR Low Level Rule Detection, MS Office Product Spawning Exe in User Dir, HarfangLab EDR Critical Level Rule Detection, Suspicious Outlook Child Process, Explorer Process Executing HTA File, HarfangLab EDR Medium Level Rule Detection, Download Files From Suspicious TLDs, HarfangLab EDR Process Execution Blocked, Download Files From Non-Legitimate TLDs, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Exploitation Framework Detection, Antivirus Relevant File Paths Alerts, Antivirus Password Dumper Detection"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: Audit CVE Event, Registry Checked For Lanmanserver DisableCompression Parameter, CVE-2019-0708 Scan"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Malicious Named Pipe, Process Herpaderping, Searchindexer Wrong Parent, Process Hollowing Detection, Searchprotocolhost Wrong Parent, Dynwrapx Module Loading, Address Space Layout Randomization (ASLR) Alteration, CreateRemoteThread Common Process Injection, MavInject Process Injection, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Cobalt Strike Named Pipes, Smss Wrong Parent, Svchost Wrong Parent, Taskhost Wrong Parent"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Suspicious SAM Dump, SAM Registry Hive Handle Request, RedMimicry Winnti Playbook Dropped File, Credential Dumping Tools Service Execution, Copying Browser Files With Credentials, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: Active Directory Database Dump Via Ntdsutil, NTDS.dit File Interaction Through Command Line, Impacket Secretsdump.py Tool, NTDS.dit File In Suspicious Directory, Cred Dump Tools Dropped Files, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Exfiltration Domain In Command Line, TUN/TAP Driver Installation, Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Sliver DNS Beaconing, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Registry Key Used By Some Old Agent Tesla Samples, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Narrator Feedback-Hub Persistence, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, DLL Load via LSASS Registry Key, Registry Key Used By Some Old Agent Tesla Samples, Powershell Winlogon Helper DLL, NjRat Registry Changes, Ryuk Ransomware Persistence Registry Key, Malware Persistence Registry Key, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, AD Object WriteDAC Access, ICacls Granting Access To All"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Process Call Creation, Invoke-TheHash Commandlets, Wmic Service Call, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMImplant Hack Tool, WMI DLL Loaded Via Office, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious DLL Loaded Via Office Applications, WMI DLL Loaded Via Office, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, OneNote Suspicious Children Process, Logonui Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Malicious Service Installations, Wmiprvse Wrong Parent, Lsass Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, Cobalt Strike Default Service Creation Usage, OneNote Suspicious Children Process, Logonui Wrong Parent, StoneDrill Service Install, Rare Lsass Child Found, Malicious Service Installations, Wmiprvse Wrong Parent, Lsass Wrong Parent, New Service Creation, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, APT29 Fake Google Update Service Install, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Credential Dumping Tools Service Execution, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, WMI Persistence Command Line Event Consumer, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Malicious Service Installations, Metasploit PSExec Service Creation, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Smbexec.py Service Installation, Suspicious PsExec Execution, Gpscript Suspicious Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, WMI Event Subscription, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association, Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Desktopimgdownldr Execution, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Network Connection Via Certutil, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Secure Deletion With SDelete, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Eventlog Cleared"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: GitLab CVE-2021-22205, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Failed Logon Source From Public IP Addresses, Suspicious DNS Child Process, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Creation or Modification of a GPO Scheduled Task, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1484.001", "score": 100, "comment": "Rules: GPO Executable Delivery, Creation or Modification of a GPO Scheduled Task"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, WMIC Loading Scripting Libraries"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Formbook Hijacked Process Command, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, New Or Renamed User Account With '$' In Attribute 'SamAccountName', AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Possible Malicious File Double Extension, Exploit For CVE-2017-0261 Or CVE-2017-0262, Execution From Suspicious Folder, Legitimate Process Execution From Unusual Folder"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created, Suspicious Windows ANONYMOUS LOGON Local Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136.002", "score": 100, "comment": "Rules: Suspicious Windows ANONYMOUS LOGON Local Account Created"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: Microsoft Malware Protection Engine Crash, Audit CVE Event"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Malspam Execution Registering Malicious DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus Domain Controller Discovery, AdFind Usage, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1021.002", "score": 100, "comment": "Rules: Remote Service Activity Via SVCCTL Named Pipe, Smbexec.py Service Installation, Protected Storage Service Access, Admin Share Access, Lateral Movement - Remote Named Pipe, Cobalt Strike Default Service Creation Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Secure Deletion With SDelete, OneNote Embedded File, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Covenant Default HTTP Beaconing, Suspicious Windows DNS Queries, Potential Lemon Duck User-Agent, Python HTTP Server"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Antivirus Web Shell Detection"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, Antivirus Web Shell Detection, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: Active Directory Shadow Credentials, KeePass Config XML In Command-Line"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Suspicious DLL side loading from ProgramData, Windows Registry Persistence COM Search Order Hijacking, DHCP Callout DLL Installation, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DNS ServerLevelPluginDll Installation, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, Werfault DLL Injection, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1060", "score": 100, "comment": "Rules: Malware Persistence Registry Key, Ryuk Ransomware Persistence Registry Key"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious LDAP-Attributes Used, Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Eventlog Cleared, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1055.012", "score": 100, "comment": "Rules: Process Hollowing Detection"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Privileged AD Builtin Group Modified, User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Active Directory Delegate To KRBTGT Service, Mimikatz Basic Commands, Password Change On Directory Service Restore Mode (DSRM) Account, User Added to Local Administrators, Privileged AD Builtin Group Modified, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Add User to Privileged Group, Active Directory Replication User Backdoor, Active Directory User Backdoors"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, AD User Enumeration, PowerView commandlets 2, Remote Privileged Group Enumeration, Bloodhound and Sharphound Tools Usage, AD Privileged Users Or Groups Reconnaissance"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: AD Privileged Users Or Groups Reconnaissance, Bloodhound and Sharphound Tools Usage, AD User Enumeration"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: SCM Database Handle Failure, PowerView commandlets 1, SCM Database Privileged Operation, PowerView commandlets 2"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Potential RDP Connection To Non-Domain Host, Rubeus Tool Command-line, Abusing Azure Browser SSO"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, DHCP Callout DLL Installation, Suspicious Desktopimgdownldr Execution, FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, RDP Port Change Using Powershell, Remote Registry Management Using Reg Utility, Chafer (APT 39) Activity, OceanLotus Registry Activity, DNS ServerLevelPluginDll Installation, NetNTLM Downgrade Attack, RDP Sensitive Settings Changed, Disable Security Events Logging Adding Reg Key MiniNt, Ursnif Registry Key, Wdigest Enable UseLogonCredential, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Event Subscription, WMI Persistence Script Event Consumer File Write, Suspicious Scripting In A WMI Consumer"}, {"techniqueID": "T1574.001", "score": 100, "comment": "Rules: Windows Registry Persistence COM Search Order Hijacking, Svchost DLL Search Order Hijack"}, {"techniqueID": "T1557.001", "score": 100, "comment": "Rules: Possible RottenPotato Attack"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle), Possible RottenPotato Attack"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation, Possible RottenPotato Attack"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: SysKey Registry Keys Access, Suspicious Taskkill Command, Putty Sessions Listing, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access, Remote Registry Management Using Reg Utility"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: CreateRemoteThread Common Process Injection, MavInject Process Injection, Dynwrapx Module Loading"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Denied Access To Remote Desktop, User Added to Local Administrators, Account Added To A Security Enabled Group"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, DPAPI Domain Backup Key Extraction, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Impacket Secretsdump.py Tool, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, Credential Dumping Tools Service Execution, Credential Dumping-Tools Common Named Pipes, Cred Dump Tools Dropped Files"}, {"techniqueID": "T1212", "score": 100, "comment": "Rules: Abusing Azure Browser SSO, Audit CVE Event"}, {"techniqueID": "T1528", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1550.001", "score": 100, "comment": "Rules: Abusing Azure Browser SSO"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Secure Deletion With SDelete, Backup Catalog Deleted, Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable Security Events Logging Adding Reg Key MiniNt, Disable .NET ETW Through COMPlus_ETWEnabled, Suspect Svchost Memory Access"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line, RDP Port Change Using Powershell"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost, Denied Access To Remote Desktop, RDP Port Change Using Powershell"}, {"techniqueID": "T1003.006", "score": 100, "comment": "Rules: Active Directory Replication from Non Machine Account, Credential Dumping Tools Service Execution, DCSync Attack"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, Dynwrapx Module Loading, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Suspicious New Printer Ports In Registry, Exploiting SetupComplete.cmd CVE-2019-1378, Audit CVE Event"}, {"techniqueID": "T1499.004", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1499", "score": 100, "comment": "Rules: Audit CVE Event"}, {"techniqueID": "T1547.008", "score": 100, "comment": "Rules: DLL Load via LSASS Registry Key"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: Office Application Startup Office Test, Microsoft Office Startup Add-In, IcedID Execution Using Excel"}, {"techniqueID": "T1091", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1200", "score": 100, "comment": "Rules: External Disk Drive Or USB Storage Device"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1086", "score": 100, "comment": "Rules: In-memory PowerShell"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1039", "score": 100, "comment": "Rules: Suspicious Access To Sensitive File Extensions"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Suspicious TOR Gateway, Netsh Port Forwarding, Suspicious Hostname"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1207", "score": 100, "comment": "Rules: DC Shadow via Service Principal Name (SPN) creation"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1546.012", "score": 100, "comment": "Rules: Registry Persistence Using 'Image File Execution' And 'SilentProcessExit' Keys"}, {"techniqueID": "T1037.001", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1037", "score": 100, "comment": "Rules: Logon Scripts (UserInitMprLogonScript)"}, {"techniqueID": "T1137.002", "score": 100, "comment": "Rules: Office Application Startup Office Test"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1027.005", "score": 100, "comment": "Rules: Secure Deletion With SDelete"}, {"techniqueID": "T1100", "score": 100, "comment": "Rules: Antivirus Web Shell Detection"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Remote Task Creation Via ATSVC Named Pipe"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1137.006", "score": 100, "comment": "Rules: Microsoft Office Startup Add-In"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1021.006", "score": 100, "comment": "Rules: Lsass Access Through WinRM"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request, Discord Suspicious Download"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1090.003", "score": 100, "comment": "Rules: Suspicious TOR Gateway"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json index caab9442f6..5b893d880d 100644 --- a/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_995d7daf-4e4a-42ec-b90d-9af2f7be7019_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cisco Meraki MX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json index 887cb9e4d4..27496ed848 100644 --- a/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_99da26fc-bf7b-4e5b-a76c-408472fcfebb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Usage Of Sysinternals Tools, Searchprotocolhost Child Found, SolarWinds Suspicious File Creation, PsExec Process, Rare Lsass Child Found, SolarWinds Wrong Child Process, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Windows Update LolBins, Winword wrong parent"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Trickbot Malware Activity, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Usage Of Sysinternals Tools, Searchprotocolhost Child Found, PsExec Process, SolarWinds Wrong Child Process, Rare Lsass Child Found, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Suspicious DNS Child Process, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, RTLO Character"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Rare Lsass Child Found, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Rare Logonui Child Found, Searchprotocolhost Child Found, SolarWinds Wrong Child Process, Csrss Child Found, Suspicious Commands From MS SQL Server Shell, Rare Lsass Child Found, Winword wrong parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, Explorer Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, SOCKS Tunneling Tool, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Autorun Keys Modification, Leviathan Registry Key Activity, Kernel Module Alteration"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Sophos Analysis Threat Center [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation, Rare Logonui Child Found, Winword wrong parent, Rare Lsass Child Found, Searchprotocolhost Child Found, Csrss Child Found, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Taskhost or Taskhostw Suspicious Child Found, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process, Rare Logonui Child Found, Rare Lsass Child Found, Winword wrong parent, Searchprotocolhost Child Found, Csrss Child Found, Usage Of Procdump With Common Arguments, Suspicious DNS Child Process, SolarWinds Wrong Child Process, Suspicious Commands From MS SQL Server Shell, Usage Of Sysinternals Tools, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Explorer Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Winword wrong parent, Searchprotocolhost Child Found, Csrss Child Found, SolarWinds Wrong Child Process, New Service Creation, Suspicious Commands From MS SQL Server Shell, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Explorer Wrong Parent, Rare Lsass Child Found, Rare Logonui Child Found, Winword wrong parent, Searchprotocolhost Child Found, Csrss Child Found, SolarWinds Wrong Child Process, New Service Creation, Suspicious Commands From MS SQL Server Shell, Taskhost or Taskhostw Suspicious Child Found"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Suspicious Process Requiring DLL Starts Without DLL, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Explorer Wrong Parent"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Schtasks Suspicious Parent"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json index 8920bc95d0..3b44404f61 100644 --- a/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Cybereason EDR Alert, PsExec Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cybereason EDR Alert, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cybereason EDR", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, Cybereason EDR Alert, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Cybereason EDR Alert"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage, Cybereason EDR Alert"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json index da7c92ff02..dfa932f321 100644 --- a/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a0dbb8f3-ca1c-4c6b-aafa-595bd430c0cb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, TrevorC2 HTTP Communication, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Squid", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json index 1da576113b..d8d96d8ac0 100644 --- a/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a199fbde-508e-4cb9-ae37-842703494be0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x BIND", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json index 36192df1f2..1862e6425e 100644 --- a/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Jumpcloud Directory Insights", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Jumpcloud Policy Modified"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Jumpcloud Account Locked"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Jumpcloud Api Key Updated"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json index b0e98f143c..f9b0eb1313 100644 --- a/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_b2d961ae-0f7e-400b-879a-f97be24cc02d_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Double Extension, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Possible Malicious File Double Extension, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks, Schtasks Persistence With High Privileges, BazarLoader Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Cron Files Alteration, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trend Micro Cloud One / Deep Security", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Control Panel Items, Suspicious Windows Installer Execution, Mshta JavaScript Execution, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, PowerShell Execution Via Rundll32, Suspicious Control Process, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious VBS Execution Parameter, Powershell Web Request, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation, Exchange Server Creating Unusual Files, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Spyware Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json index 33a3cea8a4..54dea50f27 100644 --- a/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix EPO [ALPHA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json index f0857d851a..fae9819ebc 100644 --- a/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bae128bb-98c6-45f7-9763-aad3451821e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Trellix Network Security [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json index 0efaaa96da..c396930f09 100644 --- a/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bba2bed2-d925-440f-a0ce-dbcae04eaf26_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Gatewatcher AionIQ", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json index af7936bdbc..4766f2a394 100644 --- a/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_bd9d0f51-114e-499a-bb7a-4f2d0a518b04_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Sliver DNS Beaconing, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare DNS logs", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Sliver DNS Beaconing"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json index 3ff9fecbe4..a8e0951ac7 100644 --- a/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Exploit For CVE-2015-1641, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, SolarWinds Suspicious File Creation, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Microsoft Defender Antivirus Threat Detected, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, FromBase64String Command Line, XSL Script Processing And SquiblyTwo Attack, Suspicious PowerShell Invocations - Generic, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, Malicious PowerShell Keywords, PowerShell Downgrade Attack, PowerShell Credential Prompt, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Lazarus Loaders, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Suspicious XOR Encoded PowerShell Command Line, Sysprep On AppData Folder, WMImplant Hack Tool, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: FromBase64String Command Line, Suspicious PowerShell Invocations - Generic, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), Malicious PowerShell Keywords, PowerShell Downgrade Attack, PowerShell Credential Prompt, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Invoke-TheHash Commandlets, Default Encoding To UTF-8 PowerShell, PowerShell Download From URL, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, PowerShell Malicious PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, PowerShell Invoke Expression With Registry, Suspicious PowerShell Keywords, PowerShell - NTFS Alternate Data Stream, Suspicious XOR Encoded PowerShell Command Line, WMImplant Hack Tool, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Microsoft Office Product Spawning Windows Shell, Microsoft Office Spawning Script, Microsoft Defender Antivirus Threat Detected, Suspicious Outlook Child Process, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Windows Defender Deactivation Using PowerShell Script, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disable Services, MalwareBytes Uninstallation, Disable .NET ETW Through COMPlus_ETWEnabled, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, TrustedInstaller Impersonation, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Microsoft Defender Antivirus Disable SecurityHealth, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Powershell AMSI Bypass, Windows Defender Deactivation Using PowerShell Script, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, HackTools Suspicious Process Names, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Process Memory Dump Using Createdump, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, Chafer (APT 39) Activity, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, FromBase64String Command Line, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, Microsoft Defender Antivirus Tampering Detected, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Suspicious DNS Child Process"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Wininit Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Powershell AMSI Bypass, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Phosphorus Domain Controller Discovery, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: Suspicious XOR Encoded PowerShell Command Line, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Chafer (APT 39) Activity, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Chafer (APT 39) Activity, Logonui Wrong Parent, Wininit Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Winrshost Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Outlook Child Process, Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Creation, Exchange Server Spawning Suspicious Processes"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, DNS Server Error Failed Loading The ServerLevelPluginDLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Process Memory Dump Using Createdump, Windows Credential Editor Registry Key"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password, PowerShell Data Compressed"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data, Formbook File Creation DB1"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 1, PowerView commandlets 2, Network Share Discovery"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Disable .NET ETW Through COMPlus_ETWEnabled, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Chafer (APT 39) Activity, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Invoke-TheHash Commandlets, Impacket Wmiexec Module, WMImplant Hack Tool, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted, Microsoft Defender Antivirus History Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Powershell Winlogon Helper DLL, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, NjRat Registry Changes, Suspicious desktop.ini Action, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, PowerShell - NTFS Alternate Data Stream, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Tampering - Suspicious Failed Logon Reasons, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Admin User RDP Remote Logon"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Chafer (APT 39) Activity, Schtasks Persistence With High Privileges, Cron Files Alteration, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Register New Logon Process, Rubeus Tool Command-line, Possible Replay Attack"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1041", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Stop Backup Services, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account, Add User to Privileged Group"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: Suncrypt Parameters"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Elastic Winlogbeat", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing, Exfiltration And Tunneling Tools Execution, Chafer (APT 39) Activity, Suspicious Windows DNS Queries, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts, Suspicious HWP Child Process, Msdt (Follina) File Browse Process Execution, Exploit For CVE-2015-1641"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Microsoft Defender Antivirus Threat Detected, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Powershell AMSI Bypass, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, TrustedInstaller Impersonation, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Disable .NET ETW Through COMPlus_ETWEnabled, Address Space Layout Randomization (ASLR) Alteration, Powershell AMSI Bypass, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Tampering Detected, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, TrustedInstaller Impersonation, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Services, Microsoft Defender Antivirus Disable Scheduled Tasks, Windows Defender Deactivation Using PowerShell Script, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse, Microsoft Defender Antivirus Disable SecurityHealth"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, RDP Login From Localhost, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Python Offensive Tools and Packages, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, PowerShell Credential Prompt, Suspicious PowerShell Keywords, Microsoft Defender Antivirus Threat Detected, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Malicious PowerShell Keywords, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, WMImplant Hack Tool, PowerShell Invoke Expression With Registry, Suspicious VBS Execution Parameter, Powershell Web Request, FromBase64String Command Line, Invoke-TheHash Commandlets, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, PowerShell - NTFS Alternate Data Stream, PowerShell Credential Prompt, Suspicious PowerShell Keywords, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line, Default Encoding To UTF-8 PowerShell, PowerShell Malicious PowerShell Commandlets, PowerShell Downgrade Attack, Malicious PowerShell Keywords, Mshta Suspicious Child Process, WMImplant Hack Tool, PowerShell Invoke Expression With Registry, Powershell Web Request, FromBase64String Command Line, Invoke-TheHash Commandlets, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Generic, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Threat Detected, Sysmon Windows File Block Executable, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Process Memory Dump Using Createdump, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel, DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Chafer (APT 39) Activity, DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution, Sliver DNS Beaconing"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, FromBase64String Command Line, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus Tampering Detected, Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Suspicious DNS Child Process, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, Exploited CVE-2020-10189 Zoho ManageEngine, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, RTLO Character, Suspicious Cmd File Copy Command To Network Share, Copy Of Legitimate System32 Executable, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, Winrshost Wrong Parent, Chafer (APT 39) Activity, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Wininit Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: PowerView commandlets 1, Phosphorus Domain Controller Discovery, AdFind Usage, PowerView commandlets 2, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Cron Files Alteration, Chafer (APT 39) Activity, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand, PowerShell Invoke-Obfuscation Obfuscated IEX Invocation, Suspicious XOR Encoded PowerShell Command Line"}, {"techniqueID": "T1210", "score": 100, "comment": "Rules: CVE-2019-0708 Scan"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Suspicious Windows DNS Queries, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: Webshell Execution W3WP Process, Webshell Creation, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, Webshell Execution W3WP Process, Exchange Server Creating Unusual Files, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1574.002", "score": 100, "comment": "Rules: DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL, DHCP Server Loaded the CallOut DLL"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: DHCP Server Loaded the CallOut DLL, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, DNS Server Error Failed Loading The ServerLevelPluginDLL, DHCP Server Error Failed Loading the CallOut DLL"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Createdump, Windows Credential Editor Registry Key, Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel, SOCKS Tunneling Tool, Netsh Port Forwarding"}, {"techniqueID": "T1001.003", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1001", "score": 100, "comment": "Rules: Suspicious ADSI-Cache Usage By Unknown Tool"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: PowerShell Data Compressed, Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Phosphorus (APT35) Exchange Discovery, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Formbook File Creation DB1, Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1135", "score": 100, "comment": "Rules: PowerView commandlets 2, Network Share Discovery, PowerView commandlets 1"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, Disable .NET ETW Through COMPlus_ETWEnabled, OceanLotus Registry Activity, Chafer (APT 39) Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Invoke-TheHash Commandlets, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMImplant Hack Tool, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Deleted, Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Copy Of Legitimate System32 Executable, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1547.009", "score": 100, "comment": "Rules: Suspicious desktop.ini Action"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Powershell Winlogon Helper DLL, NjRat Registry Changes, Suspicious desktop.ini Action, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Backup Catalog Deleted"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1007", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: PowerView commandlets 2, PowerView commandlets 1, Network Scanning and Discovery"}, {"techniqueID": "T1562.002", "score": 100, "comment": "Rules: Disable .NET ETW Through COMPlus_ETWEnabled"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1564.004", "score": 100, "comment": "Rules: PowerShell - NTFS Alternate Data Stream"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File, PowerShell - NTFS Alternate Data Stream, Hiding Files With Attrib.exe"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses, Admin User RDP Remote Logon, Account Tampering - Suspicious Failed Logon Reasons, Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1219", "score": 100, "comment": "Rules: Antivirus Relevant File Paths Alerts"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack, Rubeus Tool Command-line, Rubeus Register New Logon Process"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt, Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, Net.exe User Account Creation"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1021.001", "score": 100, "comment": "Rules: RDP Login From Localhost"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Stop Backup Services, Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1547.004", "score": 100, "comment": "Rules: Powershell Winlogon Helper DLL"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group, SeEnableDelagationPrivilege Granted To User Or Machine In Active Directory, Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1550.002", "score": 100, "comment": "Rules: Successful Overpass The Hash Attempt"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1087.003", "score": 100, "comment": "Rules: Phosphorus (APT35) Exchange Discovery"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1078.001", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.002", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1078.003", "score": 100, "comment": "Rules: Admin User RDP Remote Logon"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json index d9a6d53f4f..e5dba5699d 100644 --- a/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS New Country, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft Defender for Office 365 Medium Severity AIR Alert, Possible Malicious File Double Extension, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) DLP Policy Removed, Suspicious Double Extension, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft 365 (Office 365) Malware Filter Rule Deletion"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability, CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs, Microsoft 365 (Office 365) MCAS New Country, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Malware Uploaded On SharePoint, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Suspicious Double Extension, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, User Account Created"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Failed Logon Source From Public IP Addresses, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Privacy Email Address, Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Microsoft 365 / Office 365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Safelinks Disabled, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Repeated Delete, Possible Malicious File Double Extension, Microsoft 365 (Office 365) DLP Policy Removed, Suspicious Double Extension, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Uploaded On SharePoint"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft 365 (Office 365) MCAS Repeated Failed Login, Microsoft 365 (Office 365) Mass Download By A Single User, Microsoft 365 (Office 365) Safelinks Disabled, Cobalt Strike Default Beacons Names, Microsoft 365 (Office 365) MailBoxAuditBypassAssociation Option Implementation, Microsoft 365 (Office 365) Unusual Volume Of File Deletion, Microsoft 365 (Office 365) MCAS Repeated Delete, Microsoft 365 (Office 365) DLP Policy Removed, Microsoft 365 (Office 365) MCAS Risky IP, Microsoft 365 (Office 365) Potential Ransomware Activity Detected, Microsoft 365 (Office 365) Malware Filter Rule Deletion, Microsoft 365 (Office 365) Malware Filter Policy Removed, Microsoft 365 (Office 365) Anti-Phishing Policy Deletion, Microsoft 365 (Office 365) MCAS Detection Velocity, Microsoft 365 (Office 365) Safe Attachment Rule Disabled, Microsoft 365 (Office 365) Malware Uploaded On OneDrive, Microsoft 365 (Office 365) AtpDetection, Microsoft 365 (Office 365) Anti-Phishing Rule Deletion, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Microsoft 365 (Office 365) MCAS New Country, Microsoft 365 (Office 365) MCAS Inbox Hiding, Microsoft 365 (Office 365) Malware Uploaded On SharePoint"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Suspicious Double Extension, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert, Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Microsoft 365 Device Code Authentication, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Failed Logon Source From Public IP Addresses, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CVE-2017-11882 Microsoft Office Equation Editor Vulnerability"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 Low Severity AIR Alert Handled Automatically, Microsoft Defender for Office 365 Low Severity AIR Alert Requires Action, Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1114.003", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Microsoft 365 Email Forwarding To Email Address With Rare TLD, Microsoft 365 Email Forwarding To Consumer Email Address, Microsoft 365 Email Forwarding To Privacy Email Address"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Microsoft 365 Sign-in With No User Agent"}, {"techniqueID": "T1586", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1586.002", "score": 100, "comment": "Rules: Microsoft Defender for Office 365 High Severity AIR Alert, Microsoft Defender for Office 365 Medium Severity AIR Alert"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Microsoft 365 Device Code Authentication"}, {"techniqueID": "T1564.008", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Microsoft 365 Suspicious Inbox Rule"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json index db35f40cd8..6a0f3d981e 100644 --- a/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_cf5c916e-fa26-11ed-a844-f7f4d7348199_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x OGO WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json index 231dcf5ddc..0b35fd4b7d 100644 --- a/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d2725f97-0c7b-4942-a847-983f38efb8ff_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Salesforce [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json index de5253d497..d97b68d214 100644 --- a/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d3a813ac-f9b5-451c-a602-a5994544d9ed_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA, AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail Important Change, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Deleted, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Disable MFA, AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x AWS CloudTrail", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail Disable MFA, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail GuardDuty Detector Suspended"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: AWS CloudTrail Config Disable Channel/Recorder, AWS CloudTrail Important Change, AWS CloudTrail Disable MFA, AWS CloudTrail Remove Flow logs, AWS CloudTrail EventBridge Rule Disabled Or Deleted, AWS CloudTrail GuardDuty Disruption, AWS CloudTrail EC2 Security Group Modified, AWS CloudTrail GuardDuty Detector Suspended, AWS CloudTrail GuardDuty Detector Deleted"}, {"techniqueID": "T1578", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: AWS CloudTrail IAM Password Policy Updated, AWS CloudTrail Root ConsoleLogin, AWS CloudTrail IAM Policy Changed, AWS CloudTrail Route 53 Domain Transfer Attempt, AWS CloudTrail Route 53 Domain Transfer Lock Disabled, AWS CloudTrail IAM Failed User Creation"}, {"techniqueID": "T1070.004", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: AWS CloudTrail KMS CMK Key Deleted"}, {"techniqueID": "T1578.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Subnet Deleted, AWS CloudTrail ECS Cluster Deleted"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: AWS CloudTrail RDS Public DB Restore, AWS CloudTrail RDS Change Master Password"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: AWS CloudTrail ECS Cluster Deleted, AWS CloudTrail RDS DB Cluster/Instance Deleted"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1059.004", "score": 100, "comment": "Rules: AWS CloudTrail EC2 Startup Script Changed"}, {"techniqueID": "T1562.008", "score": 100, "comment": "Rules: AWS CloudTrail Remove Flow logs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json index fa54a4196d..aec125fa15 100644 --- a/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d719e8b5-85a1-4dad-bf71-46155af56570_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Firebox", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1557", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Potential Azure AD Phishing Page (Adversary-in-the-Middle)"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json index b7f32cc552..10e08fb95c 100644 --- a/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_d9f337a4-1303-47d4-b15f-1f83807ff3cc_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: TrevorC2 HTTP Communication, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Imperva WAF", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Download Files From Non-Legitimate TLDs, Possible Malicious File Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, TrevorC2 HTTP Communication, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Non-Legitimate TLDs, Download Files From Suspicious TLDs"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json index 3175448ec7..9657aecb17 100644 --- a/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_da3555f9-8213-41b8-8659-4cb814431e29_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass via Event Viewer, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Panda Security SIEM Feeder", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Pandemic Windows Implant"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Sysinternals Tools"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Suspicious Driver Loaded"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Windows Credential Editor Registry Key"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json index 148e73f46b..4bc7b7ef30 100644 --- a/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_dc0f339f-5dbe-4e68-9fa0-c63661820941_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Cobalt Strike HTTP Default POST Beaconing, Cobalt Strike HTTP Default GET beaconing, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Bazar Loader DGA (Domain Generation Algorithm), Sliver DNS Beaconing"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Zscaler Internet Access [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Cobalt Strike HTTP Default GET beaconing, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Sliver DNS Beaconing, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, Koadic MSHTML Command, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Cobalt Strike HTTP Default GET beaconing, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, Cobalt Strike HTTP Default POST Beaconing, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: Sliver DNS Beaconing, Bazar Loader DGA (Domain Generation Algorithm)"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json index 671039dc5a..4afa8f1653 100644 --- a/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_de9ca004-991e-4f5c-89c5-e075f3fb3216_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: Netskope Alert, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Netskope", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netskope Alert"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1530", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1083", "score": 100, "comment": "Rules: Netskope DLP Alert"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1078.004", "score": 100, "comment": "Rules: Netskope Admin Audit"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Netskope Admin Audit"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json index 2f275f4e6d..9136da7041 100644 --- a/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e0eaf2f1-02d0-4d1a-be89-f2b8be4baf4e_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-17530 Apache Struts RCE, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-0688 Microsoft Exchange Server Exploit"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Detect requests to Konni C2 servers"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Proofpoint PoD", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Koadic MSHTML Command"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json index 9b842e31e0..24c5ea326b 100644 --- a/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e4a758fc-7620-49e6-b8ed-b7fb3d7fa232_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Scam Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, SEKOIA.IO Intelligence Feed, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Scam Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Spam Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Spearphishing (W2 Fraud) Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365, Phishing Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Vade for M365", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Spearphishing (W2 Fraud) Detected By Vade For M365, Spam Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365, Spearphishing (CEO Fraud) Detected By Vade For M365, Malware Detected By Vade For M365 And Not Blocked, Spam Detected By Vade For M365, Spearphishing (Lawyer Fraud) Detected By Vade For M365, Malware Detected By Vade For M365, Spearphishing (Initial Contact Fraud) Detected By Vade For M365, Scam Detected By Vade For M365 And Not Blocked, Spearphishing (Gift Cards Fraud) Detected By Vade For M365, Scam Detected By Vade For M365"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1566.003", "score": 100, "comment": "Rules: Phishing Detected By Vade For M365 And Not Blocked, Phishing Detected By Vade For M365"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Malware Detected By Vade For M365 And Not Blocked, Malware Detected By Vade For M365"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json index 7c40f0de02..a8ff63f3e4 100644 --- a/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e6bb2404-8fc8-4124-a785-c1276277b5d7_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Nimbo-C2 User Agent, SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Okta Phishing Detection with FastPass Origin Check"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Modified or Deleted, Okta Policy Rule Modified or Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta Application deleted, Okta User Account Deactivated, Okta User Impersonation Access, Okta Application modified"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Suspicious Activity Reported, Okta Unauthorized Access to App"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Blacklist Manipulations, Okta Security Threat Configuration Updated, Okta Network Zone Modified, Okta Network Zone Deleted, Okta MFA Disabled"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Deleted, Okta Network Zone Modified"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token revoked, Okta API Token created"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Bazar Loader User-Agents, Potential Lemon Duck User-Agent"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Okta", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Okta Phishing Detection with FastPass Origin Check, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Okta Policy Rule Modified or Deleted, Okta Policy Modified or Deleted"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Okta Security Threat Detected"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Okta Admin Privilege Granted, Okta User Account Deactivated, Okta User Impersonation Access, Okta Application modified, Okta Application deleted"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: Okta User Impersonation Access"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Okta Unauthorized Access to App, Okta Suspicious Activity Reported"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Okta MFA Disabled"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Okta Network Zone Modified, Okta Network Zone Deleted, Okta Blacklist Manipulations, Okta Security Threat Configuration Updated, Okta MFA Disabled, Okta Network Zone Deactivated"}, {"techniqueID": "T1562.007", "score": 100, "comment": "Rules: Okta Network Zone Deactivated, Okta Network Zone Modified, Okta Network Zone Deleted"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Okta User Account Created"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Okta API Token created, Okta API Token revoked"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: Okta User Account Locked"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Okta Admin Privilege Granted"}, {"techniqueID": "T1111", "score": 100, "comment": "Rules: Okta MFA Bypass Attempt"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Nimbo-C2 User Agent, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json index d8a95083dc..3f7009d1cd 100644 --- a/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_e8cb3372-41c8-409f-8e0e-ca4e6cecf7e6_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Control Panel Items, Empire Monkey Activity, Explorer Process Executing HTA File, CertOC Loading Dll, Suspicious Control Process, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, Suspicious Taskkill Command, CMSTP Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal, MavInject Process Injection, Mshta JavaScript Execution, xWizard Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Phorpiex DriveMgr Command, Elise Backdoor, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Interactive Terminal Spawned via Python, Suspicious Windows Script Execution, Socat Relaying Socket, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell, Socat Reverse Shell Detection, PowerShell Download From URL, WMIC Uninstall Product, Microsoft Defender Antivirus Disabled Base64 Encoded, Venom Multi-hop Proxy agent detection, Bloodhound and Sharphound Tools Usage, Python Offensive Tools and Packages, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, SELinux Disabling, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, Disabled Service, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Disabled IE Security Features, Fail2ban Unban IP, SELinux Disabling, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Change Default File Association, WMI Persistence Script Event Consumer File Write, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Port Forwarding, Windows Firewall Changes, Netsh RDP Port Forwarding, Netsh Port Opening, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: Empire Monkey Activity, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, AdFind Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: Webshell Creation, PowerCat Function Loading, Exchange Server Creating Unusual Files, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Netsh Port Forwarding, Socat Reverse Shell Detection, Socat Relaying Socket, SOCKS Tunneling Tool, Venom Multi-hop Proxy agent detection, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Non-Legitimate Executable Using AcceptEula Parameter, RTLO Character"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration, MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RedMimicry Winnti Playbook Registry Manipulation, Blue Mockingbird Malware"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Venom Multi-hop Proxy agent detection, Socat Relaying Socket, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file +{"name": "SEKOIA.IO x IBM AIX", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, SEKOIA.IO Intelligence Feed, DNS Exfiltration and Tunneling Tools Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Control Panel Items, Suspicious Windows Installer Execution, Mshta JavaScript Execution, MavInject Process Injection, xWizard Execution, AccCheckConsole Executing Dll, PowerShell Execution Via Rundll32, Suspicious Control Process, CertOC Loading Dll, Suspicious DLL Loading By Ordinal, CMSTP Execution, Empire Monkey Activity, Suspicious Mshta Execution, Suspicious Taskkill Command, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Elise Backdoor, Lazarus Loaders, Koadic Execution, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Socat Relaying Socket, Python Offensive Tools and Packages, Elise Backdoor, Interactive Terminal Spawned via Python, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Venom Multi-hop Proxy agent detection, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious VBS Execution Parameter, Powershell Web Request, Socat Reverse Shell Detection, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, Koadic Execution, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Process Trace Alteration, WCE wceaux.dll Creation, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, NTDS.dit File In Suspicious Directory, Process Memory Dump Using Rdrleakdiag, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, SELinux Disabling, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disabled Service, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, SELinux Disabling, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Disabled Service, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Finger Usage, Suspicious Headless Web Browser Execution To Download File, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Explorer Process Executing HTA File"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, Koadic Execution, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Equation Group DLL_U Load"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: NlTest Usage, Bloodhound and Sharphound Tools Usage, Domain Trust Discovery Through LDAP, AdFind Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Usage Of Procdump With Common Arguments, PsExec Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Socat Relaying Socket, Ngrok Process Execution, Socat Reverse Shell Detection, Exfiltration And Tunneling Tools Execution, SOCKS Tunneling Tool, Netsh Port Forwarding, Venom Multi-hop Proxy agent detection"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Non-Legitimate Executable Using AcceptEula Parameter, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: New Service Creation"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: PowerCat Function Loading, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File, PowerShell EncodedCommand"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: ICacls Granting Access To All"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Disabled Service"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1059.008", "score": 100, "comment": "Rules: Socat Relaying Socket, Venom Multi-hop Proxy agent detection, Socat Reverse Shell Detection"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1059.006", "score": 100, "comment": "Rules: Python Offensive Tools and Packages"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1020", "score": 100, "comment": "Rules: Python Exfiltration Tools"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json index 5eb8127565..5bf8fc190c 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Suspicious Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: SolarWinds Suspicious File Creation, PsExec Process"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: CMSTP Execution"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Download Files From Suspicious TLDs, Cobalt Strike Default Beacons Names"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Exfiltration And Tunneling Tools Execution, Potential DNS Tunnel"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Lemon Duck User-Agent, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x SonicWall Firewall", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Download Links From Legitimate Services"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: PsExec Process, SolarWinds Suspicious File Creation"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Cobalt Strike Default Beacons Names, Download Files From Suspicious TLDs"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: Microsoft Office Creating Suspicious File"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage, AdFind Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: NTDS.dit File In Suspicious Directory, WCE wceaux.dll Creation"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: PsExec Process"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1027.002", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: OneNote Embedded File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Creating Unusual Files, Webshell Creation"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Adexplorer Usage"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, Exfiltration And Tunneling Tools Execution, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Package Manager Alteration"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json index e745ba6151..33314c9f94 100644 --- a/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_ee6364a1-9e3c-4363-9cb6-2f574bd4ce51_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Added To A Security Enabled Group, Account Removed From A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}]} \ No newline at end of file +{"name": "SEKOIA.IO x WatchGuard Endpoint Security / Panda Security Aether", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1484.002", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1484", "score": 100, "comment": "Rules: Domain Trust Created Or Removed"}, {"techniqueID": "T1078", "score": 100, "comment": "Rules: Account Removed From A Security Enabled Group, Account Added To A Security Enabled Group, Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: User Account Created"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Possible Replay Attack"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1133", "score": 100, "comment": "Rules: Failed Logon Source From Public IP Addresses"}, {"techniqueID": "T1531", "score": 100, "comment": "Rules: User Account Deleted"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Password Change On Directory Service Restore Mode (DSRM) Account"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json index ef1c8b7a08..ad0ef0a760 100644 --- a/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f0f95532-9928-4cde-a399-ddd992d48472_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2020-1147 SharePoint, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2019-0604 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, Nimbo-C2 User Agent, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Forcepoint Secure Web Gateway", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-21972 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, CVE-2021-26855 Exchange SSRF, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-21985 VMware vCenter, CVE-2019-0604 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-1147 SharePoint"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json index a24c3f6c3f..99cd12bd03 100644 --- a/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f570dd30-854b-4a22-9c2d-e2cfa46bf0e5_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious Download Links From Legitimate Services, Possible Malicious File Double Extension, SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Possible Malicious File Double Extension, RTLO Character"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2019-19781 Citrix NetScaler (ADC), CVE-2021-41773 Apache 2.4.49 Path Traversal, CVE-2019-0604 SharePoint, CVE-2021-21972 VMware vCenter, CVE-2020-1147 SharePoint, CVE-2018-11776 Apache Struts2, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2021-26855 Exchange SSRF, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2019-11510 Pulse Secure Exploit, CVE-2020-17530 Apache Struts RCE, CVE-2018-13379 Fortinet Exploit, CVE-2021-21985 VMware vCenter, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-43798 Grafana Directory Traversal, GitLab CVE-2021-22205, CVE-2019-2725 Oracle Weblogic Exploit"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Suspicious URI Used In A Lazarus Campaign"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Potential Bazar Loader User-Agents, Koadic MSHTML Command, LokiBot Default C2 URL, Nimbo-C2 User Agent, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Detect requests to Konni C2 servers, Potential Lemon Duck User-Agent, FoggyWeb HTTP Default GET/POST Requests"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: CVE-2021-34473 ProxyShell Attempt, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file +{"name": "SEKOIA.IO x Cloudflare Gateway HTTP [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services, SEKOIA.IO Intelligence Feed, Possible Malicious File Double Extension, Download Files From Suspicious TLDs"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: WCE wceaux.dll Creation"}, {"techniqueID": "T1036.002", "score": 100, "comment": "Rules: RTLO Character"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: RTLO Character, Possible Malicious File Double Extension"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2019-11510 Pulse Secure Exploit, CVE-2018-11776 Apache Struts2, CVE-2021-43798 Grafana Directory Traversal, CVE-2019-19781 Citrix NetScaler (ADC), GitLab CVE-2021-22205, CVE-2020-17530 Apache Struts RCE, CVE-2021-22123 Fortinet FortiWeb OS Command Injection, CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2020-5902 F5 BIG-IP Exploitation Attempts, CVE-2021-21972 VMware vCenter, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2021-21985 VMware vCenter, CVE-2019-2725 Oracle Weblogic Exploit, CVE-2020-0688 Microsoft Exchange Server Exploit, CVE-2018-13379 Fortinet Exploit, CVE-2020-1147 SharePoint, CVE-2020-14882 Oracle WebLogic Server, CVE-2021-26855 Exchange SSRF, CVE-2019-0604 SharePoint, CVE-2021-41773 Apache 2.4.49 Path Traversal"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious URI Used In A Lazarus Campaign, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Detect requests to Konni C2 servers, Cloudflare Gateway HTTP File Blocked By Anti-Virus Scan, Nimbo-C2 User Agent, Koadic MSHTML Command, Potential Bazar Loader User-Agents, LokiBot Default C2 URL, FoggyWeb HTTP Default GET/POST Requests, Potential Lemon Duck User-Agent"}, {"techniqueID": "T1595.002", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1595", "score": 100, "comment": "Rules: Burp Suite Tool Detected"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1102.002", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1102", "score": 100, "comment": "Rules: Telegram Bot API Request"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}, {"techniqueID": "T1588.002", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1588", "score": 100, "comment": "Rules: Privilege Escalation Awesome Scripts (PEAS)"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, CVE-2021-34473 ProxyShell Attempt"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Potential DNS Tunnel"}, {"techniqueID": "T1211", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1599", "score": 100, "comment": "Rules: SharePoint Authenticated SSRF"}, {"techniqueID": "T1566.002", "score": 100, "comment": "Rules: Suspicious Download Links From Legitimate Services"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json index 42954fbaa8..3056574ea1 100644 --- a/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json +++ b/_shared_content/operations_center/detection/generated/attack_f5e6cf5e-bd9f-4caf-9098-fe4a9e0aeaa0_do_not_edit_manually.json @@ -1 +1 @@ -{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: Python HTTP Server, DNS Exfiltration and Tunneling Tools Execution, DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Koadic MSHTML Command, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, SEKOIA.IO Intelligence Feed, Suspicious Outlook Child Process, Suspicious Double Extension, Possible Malicious File Double Extension"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: Empire Monkey Activity, CertOC Loading Dll, Suspicious Taskkill Command, Equation Group DLL_U Load, Suspicious Mshta Execution, Control Panel Items, IcedID Execution Using Excel, Suspicious Regsvr32 Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Rundll32.exe Execution, AccCheckConsole Executing Dll, Suspicious Windows Installer Execution, MavInject Process Injection, CMSTP UAC Bypass via COM Object Access, Suspicious Control Process, Mshta JavaScript Execution, MOFComp Execution, PowerShell Execution Via Rundll32, CMSTP Execution, Suspicious DLL Loading By Ordinal, xWizard Execution"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Netsh Port Forwarding, Windows Firewall Changes, Netsh Port Opening, Netsh RDP Port Forwarding, Netsh Allow Command, NetSh Used To Disable Windows Firewall, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Windows Firewall Changes, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Netsh Allow Command, Debugging Software Deactivation, Suspicious Driver Loaded, NetSh Used To Disable Windows Firewall, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Clear EventLogs Through CommandLine, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, ETW Tampering, Netsh Allowed Python Program, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Restoration Abuse, Package Manager Alteration, Address Space Layout Randomization (ASLR) Alteration, MalwareBytes Uninstallation, Disable Task Manager Through Registry Key, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disable Using Registry, Debugging Software Deactivation, Suspicious Driver Loaded, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Netsh Port Forwarding, WMIC Uninstall Product, Netsh RDP Port Forwarding, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Opening, Netsh Program Allowed With Suspicious Location, Disabled IE Security Features, Fail2ban Unban IP, Raccine Uninstall, Netsh Port Opening, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC Spawning Windows Shell, MMC20 Lateral Movement"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, WMIC Uninstall Product, Lazarus Loaders, Suspicious Taskkill Command, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, Phorpiex DriveMgr Command, Elise Backdoor, Exploiting SetupComplete.cmd CVE-2019-1378, MalwareBytes Uninstallation"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution, PowerShell EncodedCommand, Suspicious Taskkill Command, Koadic Execution, Trickbot Malware Activity, Suspicious PowerShell Invocations - Specific, PowerShell Malicious Nishang PowerShell Commandlets, Powershell Web Request, Suspicious Outlook Child Process, Suspicious PrinterPorts Creation (CVE-2020-1048), MalwareBytes Uninstallation, PowerShell Downgrade Attack, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, Default Encoding To UTF-8 PowerShell, AutoIt3 Execution From Suspicious Folder, PowerShell Download From URL, QakBot Process Creation, WMIC Uninstall Product, Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, Microsoft Office Spawning Script, Exploiting SetupComplete.cmd CVE-2019-1378, Bloodhound and Sharphound Tools Usage, DNS Exfiltration and Tunneling Tools Execution, Lazarus Loaders, Phorpiex DriveMgr Command, Suspicious VBS Execution Parameter, Sysprep On AppData Folder, Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: XCopy Suspicious Usage, Adexplorer Usage, Opening Of a Password File, Container Credential Access, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, XCopy Suspicious Usage, Adexplorer Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: PowerShell Downgrade Attack, DNS Exfiltration and Tunneling Tools Execution, PowerShell Download From URL, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Mshta Suspicious Child Process, PowerShell EncodedCommand, Suspicious Taskkill Command, Exploited CVE-2020-10189 Zoho ManageEngine, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, PowerShell Malicious Nishang PowerShell Commandlets, Microsoft Defender Antivirus Disabled Base64 Encoded, Powershell Web Request, Default Encoding To UTF-8 PowerShell, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious PrinterPorts Creation (CVE-2020-1048)"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Exploit For CVE-2015-1641, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Download Files From Suspicious TLDs, Microsoft Office Product Spawning Windows Shell"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Rubeus Tool Command-line, Copying Sensitive Files With Credential Data, Grabbing Sensitive Hives Via Reg Utility, Windows Credential Editor Registry Key, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Process Memory Dump Using Comsvcs, Process Trace Alteration, NTDS.dit File Interaction Through Command Line, Process Memory Dump Using Rdrleakdiag, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: Powershell UploadString Function, Exfiltration Domain In Command Line, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Microsoft Defender Antivirus Exclusion Command, Suspicious certutil command"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Suspicious Mshta Execution, Suspicious Taskkill Command, Mshta JavaScript Execution, Explorer Process Executing HTA File"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Windows Update LolBins, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Capture a network trace with netsh.exe, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence, Control Panel Items, Sticky Key Like Backdoor Usage, WMI Persistence Script Event Consumer File Write, Change Default File Association, New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Rclone Process, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Rclone Process, Suspicious Finger Usage, Suspicious URI Used In A Lazarus Campaign, Suspicious Headless Web Browser Execution To Download File, Pandemic Windows Implant, Suspicious certutil command"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine, Microsoft Defender Antivirus History Directory Deleted, ETW Tampering"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: ETW Tampering, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2020-0688 Microsoft Exchange Server Exploit, Suspicious DNS Child Process, CVE-2020-17530 Apache Struts RCE"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, PsExec Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Rare Lsass Child Found, Taskhostw Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Usage Of Procdump With Common Arguments, Spoolsv Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Svchost Wrong Parent, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, Suspicious DNS Child Process, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Formbook Hijacked Process Command, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Explorer Wrong Parent, Phorpiex Process Masquerading, Exploit For CVE-2017-0261 Or CVE-2017-0262, Suspicious Cmd.exe Command Line, Non-Legitimate Executable Using AcceptEula Parameter, Formbook Hijacked Process Command, Possible Malicious File Double Extension, AutoIt3 Execution From Suspicious Folder"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: MavInject Process Injection, Explorer Wrong Parent, Spoolsv Wrong Parent, Wsmprovhost Wrong Parent, Smss Wrong Parent, Taskhost Wrong Parent, Address Space Layout Randomization (ASLR) Alteration, Wmiprvse Wrong Parent, Svchost Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Taskhostw Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Smss Wrong Parent, Wsmprovhost Wrong Parent, Userinit Wrong Parent, OneNote Suspicious Children Process, SolarWinds Wrong Child Process, Taskhost Wrong Parent, Wmiprvse Wrong Parent, Dllhost Wrong Parent, Logonui Wrong Parent, Taskhostw Wrong Parent, Rare Lsass Child Found, Explorer Wrong Parent, Csrss Wrong Parent, Winlogon wrong parent, Csrss Child Found, Spoolsv Wrong Parent, New Service Creation, Taskhost or Taskhostw Suspicious Child Found, Searchprotocolhost Child Found, Suspicious Commands From MS SQL Server Shell, Searchprotocolhost Wrong Parent, Searchindexer Wrong Parent, Rare Logonui Child Found, Svchost Wrong Parent, Lsass Wrong Parent, Winword wrong parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Empire Monkey Activity, SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, Suspicious DLL Loading By Ordinal"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: Trickbot Malware Activity, AdFind Usage, NlTest Usage, Domain Trust Discovery Through LDAP, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Schtasks Suspicious Parent, Suspicious Scheduled Task Creation, Blue Mockingbird Malware, Spyware Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Cron Files Alteration, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs, Suspicious HWP Child Process, Exploit For CVE-2015-1641"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Koadic MSHTML Command, Python HTTP Server, Detect requests to Konni C2 servers, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: IIS Module Installation Using AppCmd, PowerCat Function Loading, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, ProxyShell Exchange Suspicious Paths"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: Ngrok Process Execution, SOCKS Tunneling Tool, Exfiltration And Tunneling Tools Execution, Netsh Port Forwarding"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar, Data Compressed With Rar With Password"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: RDP Sensitive Settings Changed, FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, RedMimicry Winnti Playbook Registry Manipulation, Ursnif Registry Key, OceanLotus Registry Activity"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: CMSTP UAC Bypass via COM Object Access, UAC Bypass Via Sdclt, UAC Bypass Using Fodhelper, UAC Bypass via Event Viewer"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd File Copy Command To Network Share, Suspicious Cmd.exe Command Line"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: System Info Discovery, Listing Systemd Environment, Suspicious Headless Web Browser Execution To Download File, List Shadow Copies"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Cmdkey Cached Credentials Recon, Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification, Leviathan Registry Key Activity"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: RUN Registry Key Created From Suspicious Folder, Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, Autorun Keys Modification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: IcedID Execution Using Excel, Suspicious Regsvr32 Execution"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Certificate Authority Modification, Suspicious certutil command"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, XSL Script Processing And SquiblyTwo Attack, Blue Mockingbird Malware, WMIC Uninstall Product, Wmic Service Call, Impacket Wmiexec Module, Wmic Process Call Creation, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable, Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, SquirrelWaffle Malspam Execution Loading DLL, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Suncrypt Parameters, Inhibit System Recovery Deleting Backups"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: Koadic Execution, XSL Script Processing And SquiblyTwo Attack, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks, Blue Mockingbird Malware"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: SSH Authorized Key Alteration, Add User to Privileged Group"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file +{"name": "SEKOIA.IO x StormShield SES [BETA]", "versions": {"attack": "13", "layer": "4.4", "navigator": "4.8.2"}, "domain": "enterprise-attack", "techniques": [{"techniqueID": "T1041", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Netsh Port Forwarding, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1071", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, SEKOIA.IO Intelligence Feed, Detect requests to Konni C2 servers, DNS Exfiltration and Tunneling Tools Execution, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution, Python HTTP Server"}, {"techniqueID": "T1566", "score": 100, "comment": "Rules: SEKOIA.IO Intelligence Feed, Suspicious HWP Child Process, Download Files From Suspicious TLDs, Possible Malicious File Double Extension, Suspicious Double Extension, Suspicious Outlook Child Process"}, {"techniqueID": "T1218.002", "score": 100, "comment": "Rules: Control Panel Items, Suspicious Control Process"}, {"techniqueID": "T1218", "score": 100, "comment": "Rules: AccCheckConsole Executing Dll, Suspicious Mshta Execution, Suspicious Taskkill Command, IcedID Execution Using Excel, Suspicious Windows Installer Execution, Suspicious Regsvr32 Execution, PowerShell Execution Via Rundll32, CertOC Loading Dll, Control Panel Items, CMSTP UAC Bypass via COM Object Access, Mshta JavaScript Execution, MavInject Process Injection, Suspicious Rundll32.exe Execution, CMSTP Execution, Empire Monkey Activity, xWizard Execution, Explorer Process Executing HTA File, SquirrelWaffle Malspam Execution Loading DLL, Suspicious Control Process, Suspicious DLL Loading By Ordinal, MOFComp Execution, Equation Group DLL_U Load"}, {"techniqueID": "T1562.004", "score": 100, "comment": "Rules: Netsh Port Opening, Netsh Allow Command, Netsh Port Forwarding, NetSh Used To Disable Windows Firewall, Netsh Program Allowed With Suspicious Location, Netsh RDP Port Opening, Netsh RDP Port Forwarding, Windows Firewall Changes, Netsh Allowed Python Program"}, {"techniqueID": "T1562", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Netsh Allow Command, Microsoft Defender Antivirus Disable Using Registry, NetSh Used To Disable Windows Firewall, Netsh RDP Port Opening, MalwareBytes Uninstallation, ETW Tampering, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Clear EventLogs Through CommandLine, Windows Firewall Changes, Netsh Allowed Python Program, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1562.001", "score": 100, "comment": "Rules: Disabled IE Security Features, Package Manager Alteration, Disable Task Manager Through Registry Key, Suspicious Microsoft Defender Antivirus Exclusion Command, Netsh Port Forwarding, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Raccine Uninstall, Address Space Layout Randomization (ASLR) Alteration, Microsoft Defender Antivirus Disabled Base64 Encoded, Netsh RDP Port Forwarding, PowerShell AMSI Deactivation Bypass Using .NET Reflection, Microsoft Defender Antivirus Disable Scheduled Tasks, Microsoft Defender Antivirus Disable Using Registry, Netsh RDP Port Opening, MalwareBytes Uninstallation, Netsh Port Opening, Fail2ban Unban IP, Microsoft Defender Antivirus Signatures Removed With MpCmdRun, Debugging Software Deactivation, Netsh Program Allowed With Suspicious Location, Suspicious Driver Loaded, WMIC Uninstall Product, Microsoft Defender Antivirus Restoration Abuse"}, {"techniqueID": "T1021.003", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1021", "score": 100, "comment": "Rules: MMC20 Lateral Movement, MMC Spawning Windows Shell"}, {"techniqueID": "T1059.003", "score": 100, "comment": "Rules: Phorpiex DriveMgr Command, Suspicious Cmd.exe Command Line, Elise Backdoor, SquirrelWaffle Malspam Execution Loading DLL, Lazarus Loaders, Exploiting SetupComplete.cmd CVE-2019-1378, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, MalwareBytes Uninstallation, WMIC Uninstall Product, Suspicious Taskkill Command"}, {"techniqueID": "T1059", "score": 100, "comment": "Rules: Elise Backdoor, Suspicious Microsoft Defender Antivirus Exclusion Command, Exploiting SetupComplete.cmd CVE-2019-1378, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Microsoft Office Spawning Script, PowerShell EncodedCommand, Suspicious Taskkill Command, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, PowerShell Download From URL, Suspicious Windows Script Execution, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PrinterPorts Creation (CVE-2020-1048), Microsoft Defender Antivirus Disabled Base64 Encoded, Trickbot Malware Activity, Default Encoding To UTF-8 PowerShell, Phorpiex DriveMgr Command, PowerShell Downgrade Attack, AutoIt3 Execution From Suspicious Folder, Mshta Suspicious Child Process, Sysprep On AppData Folder, MalwareBytes Uninstallation, Suspicious Outlook Child Process, Suspicious VBS Execution Parameter, Powershell Web Request, Suspicious Cmd.exe Command Line, SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, Lazarus Loaders, QakBot Process Creation, Koadic Execution, Exploited CVE-2020-10189 Zoho ManageEngine, WMIC Uninstall Product, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1552", "score": 100, "comment": "Rules: Container Credential Access, Adexplorer Usage, XCopy Suspicious Usage, Opening Of a Password File, Outlook Registry Access"}, {"techniqueID": "T1552.001", "score": 100, "comment": "Rules: Opening Of a Password File, Adexplorer Usage, XCopy Suspicious Usage"}, {"techniqueID": "T1059.001", "score": 100, "comment": "Rules: Powershell Web Request, PowerShell Download From URL, PowerShell Downgrade Attack, Mshta Suspicious Child Process, Suspicious Microsoft Defender Antivirus Exclusion Command, PowerShell Malicious Nishang PowerShell Commandlets, Suspicious PowerShell Invocations - Specific, Bloodhound and Sharphound Tools Usage, Suspicious PrinterPorts Creation (CVE-2020-1048), Exploited CVE-2020-10189 Zoho ManageEngine, Microsoft Defender Antivirus Disabled Base64 Encoded, PowerShell EncodedCommand, Suspicious Taskkill Command, DNS Exfiltration and Tunneling Tools Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded, Default Encoding To UTF-8 PowerShell"}, {"techniqueID": "T1204.002", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1204", "score": 100, "comment": "Rules: Explorer Process Executing HTA File, Winword Document Droppers, MS Office Product Spawning Exe in User Dir, Download Files From Suspicious TLDs, SquirrelWaffle Malspam Execution Loading DLL, Exploit For CVE-2015-1641, Microsoft Office Spawning Script, Suspicious Outlook Child Process, Microsoft Office Product Spawning Windows Shell, IcedID Execution Using Excel"}, {"techniqueID": "T1003.002", "score": 100, "comment": "Rules: Copying Browser Files With Credentials, Grabbing Sensitive Hives Via Reg Utility, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003", "score": 100, "comment": "Rules: Process Memory Dump Using Comsvcs, Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon, HackTools Suspicious Process Names In Command Line, Copying Browser Files With Credentials, Rubeus Tool Command-line, NTDS.dit File Interaction Through Command Line, Process Trace Alteration, Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1003.003", "score": 100, "comment": "Rules: NTDS.dit File Interaction Through Command Line, Copying Sensitive Files With Credential Data"}, {"techniqueID": "T1048.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1048", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution, Powershell UploadString Function, Exfiltration Domain In Command Line"}, {"techniqueID": "T1071.004", "score": 100, "comment": "Rules: DNS Tunnel Technique From MuddyWater, DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132.001", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1132", "score": 100, "comment": "Rules: DNS Exfiltration and Tunneling Tools Execution"}, {"techniqueID": "T1140", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Microsoft Defender Antivirus Exclusion Command, Microsoft Defender Antivirus Disabled Base64 Encoded, Suspicious Mshta Execution, Microsoft Defender Antivirus Set-MpPreference Base64 Encoded"}, {"techniqueID": "T1218.005", "score": 100, "comment": "Rules: Mshta JavaScript Execution, Suspicious Taskkill Command, Explorer Process Executing HTA File, Suspicious Mshta Execution"}, {"techniqueID": "T1569", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent, Windows Update LolBins"}, {"techniqueID": "T1222.001", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1222", "score": 100, "comment": "Rules: File Or Folder Permissions Modifications, ICacls Granting Access To All"}, {"techniqueID": "T1191", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution"}, {"techniqueID": "T1218.003", "score": 100, "comment": "Rules: MOFComp Execution, CMSTP Execution, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1040", "score": 100, "comment": "Rules: Network Sniffing, Network Sniffing Windows, WiFi Credentials Harvesting Using Netsh, Capture a network trace with netsh.exe"}, {"techniqueID": "T1546.009", "score": 100, "comment": "Rules: New DLL Added To AppCertDlls Registry Key"}, {"techniqueID": "T1546", "score": 100, "comment": "Rules: Control Panel Items, New DLL Added To AppCertDlls Registry Key, WMI Persistence Script Event Consumer File Write, Sticky Key Like Backdoor Usage, Suspicious Netsh DLL Persistence, Change Default File Association"}, {"techniqueID": "T1567.002", "score": 100, "comment": "Rules: Rclone Process"}, {"techniqueID": "T1567", "score": 100, "comment": "Rules: Powershell UploadString Function, Rclone Process, Exfiltration Domain In Command Line"}, {"techniqueID": "T1105", "score": 100, "comment": "Rules: Suspicious certutil command, Suspicious Headless Web Browser Execution To Download File, Suspicious URI Used In A Lazarus Campaign, Pandemic Windows Implant, Suspicious Finger Usage, Rclone Process"}, {"techniqueID": "T1070", "score": 100, "comment": "Rules: ETW Tampering, Microsoft Defender Antivirus History Directory Deleted, Erase Shell History, High Privileges Network Share Removal, Clear EventLogs Through CommandLine"}, {"techniqueID": "T1562.006", "score": 100, "comment": "Rules: Clear EventLogs Through CommandLine, ETW Tampering"}, {"techniqueID": "T1190", "score": 100, "comment": "Rules: CVE-2021-22893 Pulse Connect Secure RCE Vulnerability, CVE-2020-17530 Apache Struts RCE, Suspicious DNS Child Process, CVE-2020-0688 Microsoft Exchange Server Exploit, Exploited CVE-2020-10189 Zoho ManageEngine, CVE-2021-20021 SonicWall Unauthenticated Administrator Access"}, {"techniqueID": "T1569.002", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Usage Of Procdump With Common Arguments, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, PsExec Process, Searchprotocolhost Wrong Parent, Rare Logonui Child Found, Winlogon wrong parent, Csrss Child Found, SolarWinds Wrong Child Process, Usage Of Sysinternals Tools, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Suspicious DNS Child Process, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1036.005", "score": 100, "comment": "Rules: Exploit For CVE-2017-0261 Or CVE-2017-0262, Phorpiex Process Masquerading, Explorer Wrong Parent, Formbook Hijacked Process Command"}, {"techniqueID": "T1036", "score": 100, "comment": "Rules: Non-Legitimate Executable Using AcceptEula Parameter, Explorer Wrong Parent, Formbook Hijacked Process Command, Suspicious Cmd.exe Command Line, Phorpiex Process Masquerading, AutoIt3 Execution From Suspicious Folder, Possible Malicious File Double Extension, Suspicious Cmd File Copy Command To Network Share, Exploit For CVE-2017-0261 Or CVE-2017-0262"}, {"techniqueID": "T1055", "score": 100, "comment": "Rules: Taskhostw Wrong Parent, Explorer Wrong Parent, Searchindexer Wrong Parent, Searchprotocolhost Wrong Parent, MavInject Process Injection, Address Space Layout Randomization (ASLR) Alteration, Smss Wrong Parent, Taskhost Wrong Parent, Svchost Wrong Parent, Wmiprvse Wrong Parent, Suspicious Process Requiring DLL Starts Without DLL, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent"}, {"techniqueID": "T1543.003", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Csrss Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1543", "score": 100, "comment": "Rules: Searchindexer Wrong Parent, Winword wrong parent, Dllhost Wrong Parent, Taskhost or Taskhostw Suspicious Child Found, Userinit Wrong Parent, Rare Logonui Child Found, Searchprotocolhost Wrong Parent, Winlogon wrong parent, Csrss Child Found, SolarWinds Wrong Child Process, OneNote Suspicious Children Process, Logonui Wrong Parent, Rare Lsass Child Found, Wmiprvse Wrong Parent, New Service Creation, Lsass Wrong Parent, Wsmprovhost Wrong Parent, Spoolsv Wrong Parent, Taskhostw Wrong Parent, Explorer Wrong Parent, Searchprotocolhost Child Found, Smss Wrong Parent, Svchost Wrong Parent, Csrss Wrong Parent, Suspicious Commands From MS SQL Server Shell, Taskhost Wrong Parent"}, {"techniqueID": "T1218.011", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, PowerShell Execution Via Rundll32, Suspicious DLL Loading By Ordinal, Empire Monkey Activity, Suspicious Rundll32.exe Execution, Equation Group DLL_U Load, IcedID Execution Using Excel"}, {"techniqueID": "T1482", "score": 100, "comment": "Rules: AdFind Usage, Bloodhound and Sharphound Tools Usage, NlTest Usage, Trickbot Malware Activity, Domain Trust Discovery Through LDAP"}, {"techniqueID": "T1053.005", "score": 100, "comment": "Rules: Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1053", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Spyware Persistence Using Schtasks, STRRAT Scheduled Task, Qakbot Persistence Using Schtasks, Cron Files Alteration, BazarLoader Persistence Using Schtasks, Schtasks Persistence With High Privileges, Suspicious Scheduled Task Creation, Schtasks Suspicious Parent"}, {"techniqueID": "T1566.001", "score": 100, "comment": "Rules: Suspicious Double Extension, Suspicious HWP Child Process"}, {"techniqueID": "T1203", "score": 100, "comment": "Rules: Suspicious HWP Child Process, Exploit For CVE-2015-1641, Download Files From Suspicious TLDs"}, {"techniqueID": "T1071.001", "score": 100, "comment": "Rules: Python HTTP Server, Detect requests to Konni C2 servers, Koadic MSHTML Command, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1505.003", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, PowerCat Function Loading, Exchange Server Spawning Suspicious Processes, Webshell Execution W3WP Process"}, {"techniqueID": "T1505", "score": 100, "comment": "Rules: ProxyShell Exchange Suspicious Paths, Webshell Execution W3WP Process, Exchange Server Spawning Suspicious Processes, PowerCat Function Loading, IIS Module Installation Using AppCmd"}, {"techniqueID": "T1572", "score": 100, "comment": "Rules: SOCKS Tunneling Tool, Netsh Port Forwarding, Ngrok Process Execution, Exfiltration And Tunneling Tools Execution"}, {"techniqueID": "T1560.001", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1560", "score": 100, "comment": "Rules: Data Compressed With Rar With Password, Data Compressed With Rar"}, {"techniqueID": "T1556", "score": 100, "comment": "Rules: KeePass Config XML In Command-Line"}, {"techniqueID": "T1176", "score": 100, "comment": "Rules: Malicious Browser Extensions"}, {"techniqueID": "T1087.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1087.002", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.001", "score": 100, "comment": "Rules: Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1069.002", "score": 100, "comment": "Rules: Domain Group And Permission Enumeration, Bloodhound and Sharphound Tools Usage"}, {"techniqueID": "T1005", "score": 100, "comment": "Rules: Exchange PowerShell Snap-Ins To Export Exchange Mailbox Data"}, {"techniqueID": "T1003.001", "score": 100, "comment": "Rules: Process Memory Dump Using Rdrleakdiag, Windows Credential Editor Registry Key"}, {"techniqueID": "T1218.007", "score": 100, "comment": "Rules: Suspicious Windows Installer Execution"}, {"techniqueID": "T1112", "score": 100, "comment": "Rules: FlowCloud Malware, Disable Workstation Lock, Blue Mockingbird Malware, OceanLotus Registry Activity, RDP Sensitive Settings Changed, Ursnif Registry Key, RedMimicry Winnti Playbook Registry Manipulation"}, {"techniqueID": "T1548.002", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1548", "score": 100, "comment": "Rules: UAC Bypass Using Fodhelper, UAC Bypass Via Sdclt, UAC Bypass via Event Viewer, CMSTP UAC Bypass via COM Object Access"}, {"techniqueID": "T1036.003", "score": 100, "comment": "Rules: Suspicious Cmd.exe Command Line, Suspicious Cmd File Copy Command To Network Share"}, {"techniqueID": "T1055.001", "score": 100, "comment": "Rules: MavInject Process Injection"}, {"techniqueID": "T1082", "score": 100, "comment": "Rules: List Shadow Copies, System Info Discovery, Suspicious Headless Web Browser Execution To Download File, Listing Systemd Environment"}, {"techniqueID": "T1546.008", "score": 100, "comment": "Rules: Sticky Key Like Backdoor Usage"}, {"techniqueID": "T1003.004", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility"}, {"techniqueID": "T1003.005", "score": 100, "comment": "Rules: Grabbing Sensitive Hives Via Reg Utility, Cmdkey Cached Credentials Recon"}, {"techniqueID": "T1547.001", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1547", "score": 100, "comment": "Rules: Leviathan Registry Key Activity, Security Support Provider (SSP) Added to LSA Configuration, Kernel Module Alteration, RUN Registry Key Created From Suspicious Folder, Autorun Keys Modification"}, {"techniqueID": "T1546.003", "score": 100, "comment": "Rules: WMI Persistence Script Event Consumer File Write"}, {"techniqueID": "T1070.001", "score": 100, "comment": "Rules: Microsoft Defender Antivirus History Directory Deleted"}, {"techniqueID": "T1547.005", "score": 100, "comment": "Rules: Security Support Provider (SSP) Added to LSA Configuration"}, {"techniqueID": "T1218.010", "score": 100, "comment": "Rules: Suspicious Regsvr32 Execution, IcedID Execution Using Excel"}, {"techniqueID": "T1122", "score": 100, "comment": "Rules: Windows Registry Persistence COM Key Linking"}, {"techniqueID": "T1114.001", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1114", "score": 100, "comment": "Rules: Outlook Registry Access, Exchange Mailbox Export"}, {"techniqueID": "T1137.001", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1137", "score": 100, "comment": "Rules: IcedID Execution Using Excel"}, {"techniqueID": "T1558.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1558", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550.003", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1550", "score": 100, "comment": "Rules: Rubeus Tool Command-line"}, {"techniqueID": "T1553.004", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1553", "score": 100, "comment": "Rules: Suspicious certutil command, Certificate Authority Modification"}, {"techniqueID": "T1049", "score": 100, "comment": "Rules: Cmd.exe Used To Run Reconnaissance Commands"}, {"techniqueID": "T1486", "score": 100, "comment": "Rules: RYUK Ransomeware - martinstevens Username, Suncrypt Parameters"}, {"techniqueID": "T1047", "score": 100, "comment": "Rules: Suspicious Mshta Execution From Wmi, Wmic Service Call, Wmic Process Call Creation, Blue Mockingbird Malware, XSL Script Processing And SquiblyTwo Attack, WMIC Uninstall Product, Impacket Wmiexec Module, WMI Install Of Binary"}, {"techniqueID": "T1564.001", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe"}, {"techniqueID": "T1564", "score": 100, "comment": "Rules: Hiding Files With Attrib.exe, Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1574.010", "score": 100, "comment": "Rules: Hijack Legit RDP Session To Move Laterally"}, {"techniqueID": "T1574", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378, Hijack Legit RDP Session To Move Laterally, Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1046", "score": 100, "comment": "Rules: Advanced IP Scanner"}, {"techniqueID": "T1546.007", "score": 100, "comment": "Rules: Suspicious Netsh DLL Persistence"}, {"techniqueID": "T1518.001", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1518", "score": 100, "comment": "Rules: WMIC Command To Determine The Antivirus"}, {"techniqueID": "T1571", "score": 100, "comment": "Rules: Suspicious Network Args In Command Line"}, {"techniqueID": "T1136", "score": 100, "comment": "Rules: CVE-2021-20021 SonicWall Unauthenticated Administrator Access, Net.exe User Account Creation"}, {"techniqueID": "T1136.001", "score": 100, "comment": "Rules: Net.exe User Account Creation"}, {"techniqueID": "T1090.001", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1090", "score": 100, "comment": "Rules: Netsh Port Forwarding"}, {"techniqueID": "T1033", "score": 100, "comment": "Rules: RDP Session Discovery"}, {"techniqueID": "T1539", "score": 100, "comment": "Rules: Copying Browser Files With Credentials"}, {"techniqueID": "T1059.005", "score": 100, "comment": "Rules: SquirrelWaffle Malspam Execution Loading DLL, XSL Script Processing And SquiblyTwo Attack, QakBot Process Creation, Suspicious Windows Script Execution, Koadic Execution, Microsoft Office Spawning Script, Suspicious VBS Execution Parameter"}, {"techniqueID": "T1016", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1564.003", "score": 100, "comment": "Rules: Suspicious Headless Web Browser Execution To Download File"}, {"techniqueID": "T1490", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups, Inhibit System Recovery Deleting Backups, Suncrypt Parameters"}, {"techniqueID": "T1059.007", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack, Koadic Execution, Suspicious Windows Script Execution"}, {"techniqueID": "T1134.001", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1134.002", "score": 100, "comment": "Rules: Meterpreter or Cobalt Strike Getsystem Service Installation"}, {"techniqueID": "T1012", "score": 100, "comment": "Rules: Suspicious Taskkill Command"}, {"techniqueID": "T1552.002", "score": 100, "comment": "Rules: Outlook Registry Access"}, {"techniqueID": "T1546.001", "score": 100, "comment": "Rules: Change Default File Association"}, {"techniqueID": "T1197", "score": 100, "comment": "Rules: BITSAdmin Download"}, {"techniqueID": "T1123", "score": 100, "comment": "Rules: Audio Capture via PowerShell"}, {"techniqueID": "T1053.002", "score": 100, "comment": "Rules: Blue Mockingbird Malware, Schtasks Persistence With High Privileges, Qakbot Persistence Using Schtasks"}, {"techniqueID": "T1489", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1485", "score": 100, "comment": "Rules: Commonly Used Commands To Stop Services And Remove Backups"}, {"techniqueID": "T1027", "score": 100, "comment": "Rules: PowerShell EncodedCommand"}, {"techniqueID": "T1220", "score": 100, "comment": "Rules: XSL Script Processing And SquiblyTwo Attack"}, {"techniqueID": "T1070.005", "score": 100, "comment": "Rules: High Privileges Network Share Removal"}, {"techniqueID": "T1068", "score": 100, "comment": "Rules: Exploiting SetupComplete.cmd CVE-2019-1378"}, {"techniqueID": "T1064", "score": 100, "comment": "Rules: Suspicious VBS Execution Parameter"}, {"techniqueID": "T1127.001", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1127", "score": 100, "comment": "Rules: MSBuild Abuse"}, {"techniqueID": "T1555", "score": 100, "comment": "Rules: PasswordDump SecurityXploded Tool"}, {"techniqueID": "T1085", "score": 100, "comment": "Rules: PowerShell Execution Via Rundll32"}, {"techniqueID": "T1574.006", "score": 100, "comment": "Rules: Dynamic Linker Hijacking From Environment Variable"}, {"techniqueID": "T1098", "score": 100, "comment": "Rules: Add User to Privileged Group, SSH Authorized Key Alteration"}, {"techniqueID": "T1098.004", "score": 100, "comment": "Rules: SSH Authorized Key Alteration"}, {"techniqueID": "T1055.009", "score": 100, "comment": "Rules: Address Space Layout Randomization (ASLR) Alteration"}, {"techniqueID": "T1552.007", "score": 100, "comment": "Rules: Container Credential Access"}, {"techniqueID": "T1053.003", "score": 100, "comment": "Rules: Cron Files Alteration"}, {"techniqueID": "T1070.003", "score": 100, "comment": "Rules: Erase Shell History"}, {"techniqueID": "T1003.007", "score": 100, "comment": "Rules: Process Trace Alteration"}, {"techniqueID": "T1202", "score": 100, "comment": "Rules: CVE 2022-1292"}, {"techniqueID": "T1547.006", "score": 100, "comment": "Rules: Kernel Module Alteration"}, {"techniqueID": "T1018", "score": 100, "comment": "Rules: Network Scanning and Discovery"}, {"techniqueID": "T1036.007", "score": 100, "comment": "Rules: Possible Malicious File Double Extension"}, {"techniqueID": "T1074", "score": 100, "comment": "Rules: CVE-2021-20023 SonicWall Arbitrary File Read"}, {"techniqueID": "T1204.001", "score": 100, "comment": "Rules: Download Files From Suspicious TLDs"}]} \ No newline at end of file diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md index d85e72844d..30002b1447 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_changelog_do_not_edit_manually.md @@ -1,10 +1,13 @@ -Changelog _last update on 2023-11-02_ +Changelog _last update on 2023-11-07_ ## Changelog ### Write To File In Systemd - 26/10/2023 - minor - Added filter to reduce false positives. +### CMSTP Execution + - 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity. + ### Domain Trust Discovery Through LDAP - 19/10/2023 - minor - improve filter to reduce false positives diff --git a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md index 8ffc5bfd97..1573081a41 100644 --- a/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/built_in_rules_do_not_edit_manually.md @@ -1,4 +1,4 @@ -Rules catalog includes **768 built-in detection rules** ([_last update on 2023-11-02_](rules_changelog.md)). +Rules catalog includes **768 built-in detection rules** ([_last update on 2023-11-07_](rules_changelog.md)). ## Reconnaissance **Gather Victim Network Information** @@ -1899,6 +1899,10 @@ Rules catalog includes **768 built-in detection rules** ([_last update on 2023-1 - **Effort:** intermediate + - **Changelog:** + + - 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity. + ??? abstract "MOFComp Execution" Detects rare usage of the Managed Object Format (MOF) compiler on Microsoft Windows. This could be abused by some attackers to load WMI classes. @@ -6315,6 +6319,10 @@ Rules catalog includes **768 built-in detection rules** ([_last update on 2023-1 - **Effort:** intermediate + - **Changelog:** + + - 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity. + ??? abstract "MOFComp Execution" Detects rare usage of the Managed Object Format (MOF) compiler on Microsoft Windows. This could be abused by some attackers to load WMI classes. @@ -6393,6 +6401,10 @@ Rules catalog includes **768 built-in detection rules** ([_last update on 2023-1 - **Effort:** intermediate + - **Changelog:** + + - 19/10/2023 - minor - Slight change in selection to reduce false positives. Adding similarity. + ??? abstract "CMSTP UAC Bypass via COM Object Access" Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md index cd1288f74a..b69b97050e 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_0642b03a-9d4a-4c88-a5e2-4597e366b8c4_do_not_edit_manually.md @@ -21,12 +21,6 @@ The following Sekoia.io built-in rules match the intake **VMware vCenter**. This - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "Certificate Authority Modification" Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md index e1e361b750..0d3f6183dd 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_1d172ee6-cdc0-4713-9cfd-43f7d9595777_do_not_edit_manually.md @@ -27,12 +27,6 @@ The following Sekoia.io built-in rules match the intake **CEF**. This documentat - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2018-11776 Apache Struts2" Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md index 9478df6ec7..829ef6ee01 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_2ee6048e-8322-4575-8e47-1574946412b6_do_not_edit_manually.md @@ -33,12 +33,6 @@ The following Sekoia.io built-in rules match the intake **Cisco ESA [BETA]**. Th - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2018-11776 Apache Struts2" Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md index 0e18ef6a61..6b4245ac5a 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_40bac399-2d8e-40e3-af3b-f73a622c9687_do_not_edit_manually.md @@ -33,12 +33,6 @@ The following Sekoia.io built-in rules match the intake **Skyhigh Secure Web Gat - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2018-11776 Apache Struts2" Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md index a8c4fb4cdc..f068a4467d 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_419bd705-fa61-496c-94fa-28d6c1f2e2a8_do_not_edit_manually.md @@ -57,12 +57,6 @@ The following Sekoia.io built-in rules match the intake **Broadcom/Symantec Endp - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2020-0688 Microsoft Exchange Server Exploit" Detects the exploitation of CVE-2020-0688. The POC exploit a .NET serialization vulnerability in the Exchange Control Panel (ECP) web page. The vulnerability is due to Microsoft Exchange Server not randomizing the keys on a per-installation basis resulting in them using the same validationKey and decryptionKey values. With knowledge of these, values an attacker can craft a special viewstate to use an OS command to be executed by NT_AUTHORITY\SYSTEM using .NET deserialization. To exploit this vulnerability, an attacker needs to leverage the credentials of an account it had already compromised to authenticate to OWA. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md index cff8bb5bca..4921df78ce 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_466aeca2-e112-4ccc-a109-c6d85b91bbcf_do_not_edit_manually.md @@ -27,12 +27,6 @@ The following Sekoia.io built-in rules match the intake **Cisco Secure Firewall* - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2018-11776 Apache Struts2" Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md index b1983cf16b..4e4c13d420 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_9f89b634-0531-437b-b060-a9d9f2d270db_do_not_edit_manually.md @@ -21,12 +21,6 @@ The following Sekoia.io built-in rules match the intake **Cybereason EDR**. This - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2021-34527 - PrintNightmare - Suspicious Actions From Spoolsv" Detects suspicious image loads and file creations from the spoolsv process which could be a sign of an attacker trying to exploit the PrintNightmare vulnerability, CVE-2021-34527. A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. This works as well as a Local Privilege escalation vulnerability. To fully work the rule requires to log for Loaded DLLs and File Creations, which can be done respectively using the Sysmon's event IDs 7 and 11. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md index 36b3b96672..2ea3e44a20 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_a1dbed03-cd69-4a51-8ae5-aa67d2f29fcb_do_not_edit_manually.md @@ -21,12 +21,6 @@ The following Sekoia.io built-in rules match the intake **Jumpcloud Directory In - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "Certificate Authority Modification" Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md index 7cd5c53797..8a1c9d5350 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_ba40ab72-1456-11ee-be56-0242ac120002_do_not_edit_manually.md @@ -21,12 +21,6 @@ The following Sekoia.io built-in rules match the intake **Trellix EPO [ALPHA]**. - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "Certificate Authority Modification" Installation of new certificate(s) in the Certificate Authority can be used to trick user when spoofing website or to add trusted destinations. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md index da430cf747..8abc4f1d40 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_c10307ea-5dd1-45c6-85aa-2a6a900df99b_do_not_edit_manually.md @@ -117,12 +117,30 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** elementary +??? abstract "Burp Suite Tool Detected" + + Burp Suite is a cybersecurity tool. When used as a proxy service, its purpose is to intercept packets and modify them to send them to the server. Burp Collaborator is a network service that Burp Suite uses to help discover many kinds of vulnerabilities (vulnerabilities scanner) + + - **Effort:** intermediate + ??? abstract "CMSTP Execution" Detects various indicators of Microsoft Connection Manager Profile Installer execution - **Effort:** intermediate +??? abstract "CMSTP UAC Bypass via COM Object Access" + + Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects + + - **Effort:** intermediate + +??? abstract "CVE 2022-1292" + + The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. + + - **Effort:** advanced + ??? abstract "CVE-2017-11882 Microsoft Office Equation Editor Vulnerability" Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events. @@ -435,6 +453,18 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** advanced +??? abstract "Exploited CVE-2020-10189 Zoho ManageEngine" + + Detects the exploitation of Zoho ManageEngine Desktop Central Java Deserialization vulnerability reported as CVE-2020-10189 + + - **Effort:** elementary + +??? abstract "Exploiting SetupComplete.cmd CVE-2019-1378" + + Detects exploitation attempts of privilege escalation vulnerability via SetupComplete.cmd and PartnerSetupComplete.cmd described in CVE-2019-1378 + + - **Effort:** intermediate + ??? abstract "Explorer Process Executing HTA File" Detects a suspicious execution of an HTA file by the explorer.exe process. This unusual activity was observed when running IcedID malspam. @@ -453,6 +483,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** advanced +??? abstract "Failed Logon Source From Public IP Addresses" + + A login from a public IP can indicate a misconfigured firewall or network boundary. The sekoia.tags are used to filter internal Ipv4 addresses (10.0.0.0/8 172.16.0.0/12 127.0.0.0/8 169.254.0.0/16 192.168.0.0/16). + + - **Effort:** master + ??? abstract "File Or Folder Permissions Modifications" Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files. @@ -471,6 +507,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** intermediate +??? abstract "Formbook Hijacked Process Command" + + Detects process hijacked by Formbook malware which executes specific commands to delete the dropper or copy browser credentials to the database before sending them to the C2. + + - **Effort:** intermediate + ??? abstract "FromBase64String Command Line" Detects suspicious FromBase64String expressions in command line arguments @@ -819,6 +861,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** master +??? abstract "Netsh Program Allowed With Suspicious Location" + + Detects Netsh commands that allow a suspcious application location on Windows Firewall, seen on kasidet worm. Last part of the existing rule (commandline startwith) was not added to this rule because it is not relevant. + + - **Effort:** intermediate + ??? abstract "Netsh RDP Port Forwarding" Detects netsh commands that configure a port forwarding of port 3389 used for RDP. This is commonly used by attackers during lateralization on windows environments. @@ -975,6 +1023,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** intermediate +??? abstract "Potential DNS Tunnel" + + Detects domain name which is longer than 95 characters. Long domain names are distinctive of DNS tunnels. + + - **Effort:** advanced + ??? abstract "PowerCat Function Loading" Detect a basic execution of PowerCat. PowerCat is a PowerShell function allowing to do basic connections, file transfer, shells, relays, generate payloads. @@ -1143,6 +1197,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** intermediate +??? abstract "RDP Login From Localhost" + + Detects RDP login from localhost source address, which may be a tunnelled login to bypass network restrictions. + + - **Effort:** elementary + ??? abstract "RDP Sensitive Settings Changed" Detects changes to RDP terminal service sensitive settings. Logging for registry events is needed in the Sysmon configuration (events 12 and 13). @@ -1167,6 +1227,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** advanced +??? abstract "RYUK Ransomeware - martinstevens Username" + + Detects user name "martinstevens". Wizard Spider is used to add the user name "martinstevens" to the AD of its victims. It was observed in several campaigns; in 2019 and 2020. + + - **Effort:** elementary + ??? abstract "Raccine Uninstall" Detects commands that indicate a Raccine removal from an end system. Raccine is a free ransomware protection tool. @@ -1209,6 +1275,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** advanced +??? abstract "SEKOIA.IO Intelligence Feed" + + Detect threats based on indicators of compromise (IOCs) collected by SEKOIA's Threat and Detection Research team. + + - **Effort:** elementary + ??? abstract "SOCKS Tunneling Tool" Detects the usage of a SOCKS tunneling tool, often used by threat actors. These tools often use the socks5 commandline argument, however socks4 can sometimes be used as well. Unfortunately, socks alone (without any number) triggered too many false positives. @@ -1269,6 +1341,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** elementary +??? abstract "Sliver DNS Beaconing" + + Detects suspicious DNS queries known from Sliver beaconing + + - **Effort:** intermediate + ??? abstract "Smss Wrong Parent" Detects if the Smss process was executed by a non-legitimate parent process. Session Manager Subsystem (smss) process is a component of the Microsoft Windows NT family of operating systems. @@ -1287,6 +1365,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** intermediate +??? abstract "Spoolsv Wrong Parent" + + Detects if the Spoolsv process was executed by a non-legitimate parent process. Printer Spooler Service (Spoolsv) process is responsible for managing spooled print/fax jobs. + + - **Effort:** intermediate + ??? abstract "Spyware Persistence Using Schtasks" Detects possible Agent Tesla or Formbook persistence using schtasks. The name of the scheduled task used by these malware is very specific (Updates/randomstring). @@ -1473,6 +1557,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** intermediate +??? abstract "Suspicious Scheduled Task Creation" + + Detects suspicious scheduled task creation, either executed by a non-system user or a user who is not administrator (the user ID is not S-1-5-18 or S-1-5-18-*). This detection rule doesn't match Sysmon EventID 1 because the user SID is always set to S-1-5-18. + + - **Effort:** intermediate + ??? abstract "Suspicious Taskkill Command" Detects rare taskkill command being used. It could be related to Baby Shark malware. @@ -1485,6 +1575,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** elementary +??? abstract "Suspicious Windows DNS Queries" + + Detects a suspicious Windows command-line process making a DNS query via known abuse text paste web services. This is based on Microsoft Windows Sysmon events (Event ID 22). + + - **Effort:** advanced + ??? abstract "Suspicious Windows Installer Execution" Detects suspicious execution of the Windows Installer service (msiexec.exe) which could be used to install a malicious MSI package hosted on a remote server. @@ -1557,6 +1653,18 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** intermediate +??? abstract "Telegram Bot API Request" + + Detects suspicious DNS queries to api.telegram.org used by Telegram Bots of any kind + + - **Effort:** advanced + +??? abstract "Trickbot Malware Activity" + + Detects Trickbot malware process tree pattern in which rundll32.exe is parent of wermgr.exe + + - **Effort:** intermediate + ??? abstract "TrustedInstaller Impersonation" The rule detects attempts to impersonate TrustedInstaller. TrustedInstaller rights could allow a threat actor to delete or modify protected file or create/delete/modify files in protected folders. This technique is used by threat actors to disable Windows Defender. @@ -1659,6 +1767,12 @@ The following Sekoia.io built-in rules match the intake **Elastic Winlogbeat**. - **Effort:** master +??? abstract "Webshell Execution W3WP Process" + + Detects possible webshell execution on Windows Servers which is usually a w3wp parent process with the user name DefaultAppPool. + + - **Effort:** advanced + ??? abstract "WiFi Credentials Harvesting Using Netsh" Detects the harvesting of WiFi credentials using netsh.exe, used in particular by Agent Tesla (RAT) and Turla Mosquito (RAT) diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md index 890f068866..d0d543591f 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_caa13404-9243-493b-943e-9848cadb1f99_do_not_edit_manually.md @@ -33,12 +33,6 @@ The following Sekoia.io built-in rules match the intake **Microsoft 365 / Office - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2017-11882 Microsoft Office Equation Editor Vulnerability" Detects the exploitation of CVE-2017-11882 vulnerability. The Microsoft Office Equation Editor has no reason to do a network request or drop an executable file. This requires a sysmon configuration with file and network events. diff --git a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md index 96a49d78ac..86388a07f0 100644 --- a/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md +++ b/_shared_content/operations_center/detection/generated/suggested_rules_ee0b3023-524c-40f6-baf5-b69c7b679887_do_not_edit_manually.md @@ -27,12 +27,6 @@ The following Sekoia.io built-in rules match the intake **SonicWall Firewall**. - **Effort:** intermediate -??? abstract "CMSTP Execution" - - Detects various indicators of Microsoft Connection Manager Profile Installer execution - - - **Effort:** intermediate - ??? abstract "CVE-2018-11776 Apache Struts2" Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. diff --git a/docs/xdr/features/detect/built_in_detection_rules_eventids.md b/docs/xdr/features/detect/built_in_detection_rules_eventids.md index 5e600780f7..aded94c3a0 100644 --- a/docs/xdr/features/detect/built_in_detection_rules_eventids.md +++ b/docs/xdr/features/detect/built_in_detection_rules_eventids.md @@ -1,6 +1,6 @@ # Built-in detection rules, EventIDs and EventProviders relations SEKOIA.IO provides built-in detection rules to illuminate intrusions, adversarial behaviours and suspicious activity escalation chains so you can immediately take steps to remediate. Built-in rules can be customized to your context and according to your security posture. -This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-11-02_ +This page aims at helping partners & customers in having their detection coverage by knowing which Event IDs and [Event Providers](https://learn.microsoft.com/en-us/windows/win32/etw/providing-events) are used by rule. **Please note this was retrieved automatically from our tests samples when generating attacks that triggered the rules. It might not be exhaustive and concerns mostly Windows-related rules.** _Last update on 2023-11-07_ The colors of the EventIDs in this page should be interpreted as follow: